GNU bug report logs - #78302
[PATCH] Update nginx to 1.27.5, and add QUIC support [security-fixes]

Previous Next

To reply to this bug, email your comments to 78302 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ashish SHUKLA <ashish.is <at> lostca.se>
To: guix-patches <at> gnu.org
Cc: Ashish SHUKLA <ashish.is <at> lostca.se>
Subject: [PATCH] Update nginx to 1.27.5, and add QUIC support [security-fixes]
Date: Wed,  7 May 2025 21:35:10 +0200

This patch updates nginx to 1.27.5, and adds another package
"nginx-http3" for HTTP3/QUIC support[0].

References:
[0] https://issues.guix.gnu.org/77536

Ashish SHUKLA (3):
  gnu: nginx: Update to 1.27.5. [security fixes]
  gnu: nginx-documentation: Update to 1.27.5.
  gnu: Add nginx-http3.

 gnu/packages/web.scm | 56 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 6 deletions(-)


base-commit: 295a35ba20257e965c4eba8488de99fce7bf027f
-- 
2.49.0

Message #8 received at 78302 <at> debbugs.gnu.org (full text, mbox):

From: Ashish SHUKLA <ashish.is <at> lostca.se>
To: 78302 <at> debbugs.gnu.org
Cc: Ashish SHUKLA <ashish.is <at> lostca.se>
Subject: [PATCH 1/3] gnu: nginx: Update to 1.27.5. [security fixes]
Date: Wed,  7 May 2025 21:37:12 +0200

This release includes fix for (CVE-2025-23419).

* gnu/packages/web.scm (nginx): Update to 1.27.5.

Change-Id: I45e89fc97a3536843e5af80ffb072db705fb3f84
---
 gnu/packages/web.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index b3f998aca9..df7d376d9a 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -565,14 +565,14 @@ (define-public nginx
     ;; Track the ‘mainline’ branch.  Upstream considers it more reliable than
     ;; ’stable’ and recommends that “in general you deploy the NGINX mainline
     ;; branch at all times” (https://www.nginx.com/blog/nginx-1-6-1-7-released/)
-    (version "1.27.3")
+    (version "1.27.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://nginx.org/download/nginx-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "00vrkdx0a6fpy8n0n7m9xws0dfa7dbb9pqnh3jv3c824ixbaj8xs"))))
+                "03nxfik3f7lj9lnj71nm1h7q26xsxhr1ppf302hbhv9akjxwwsp9"))))
     (build-system gnu-build-system)
     (inputs (list libxcrypt libxml2 libxslt openssl pcre zlib))
     (arguments
-- 
2.49.0

Message #11 received at 78302 <at> debbugs.gnu.org (full text, mbox):

From: Ashish SHUKLA <ashish.is <at> lostca.se>
To: 78302 <at> debbugs.gnu.org
Cc: Ashish SHUKLA <ashish.is <at> lostca.se>
Subject: [PATCH 2/3] gnu: nginx-documentation: Update to 1.27.5.
Date: Wed,  7 May 2025 21:37:13 +0200

* gnu/packages/web.scm (nginx-documentation): Update to 1.27.5.

Change-Id: I2cb7f9c67284e509cc7b21653882593ad2321324
---
 gnu/packages/web.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index df7d376d9a..cab378e582 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -663,9 +663,9 @@ (define-public nginx
 
 (define-public nginx-documentation
   ;; This documentation should be relevant for the current nginx package.
-  (let ((version "1.27.3")
-        (revision 3156)
-        (changeset "5c6ef6def8bc"))
+  (let ((version "1.27.5")
+        (revision 3198)
+        (changeset "5b736526489f"))
     (package
       (name "nginx-documentation")
       (version (simple-format #f "~A-~A-~A" version revision changeset))
@@ -677,7 +677,7 @@ (define-public nginx-documentation
                (file-name (string-append name "-" version))
                (sha256
                 (base32
-                 "09wdvgvsr7ayjz3ypq8qsm12idb9z626j5ibmknc8phm10gh8cgk"))))
+                 "04qbi7rczv28k4ainnvnv7xxf48jmh5ydxpnlzr4zdpkl7fjz0j3"))))
       (build-system gnu-build-system)
       (arguments
        '(#:tests? #f                    ; no test suite
-- 
2.49.0

Message #14 received at 78302 <at> debbugs.gnu.org (full text, mbox):

From: Ashish SHUKLA <ashish.is <at> lostca.se>
To: 78302 <at> debbugs.gnu.org
Cc: Ashish SHUKLA <ashish.is <at> lostca.se>
Subject: [PATCH 3/3] gnu: Add nginx-http3.
Date: Wed,  7 May 2025 21:37:14 +0200

This package uses boringssl for QUIC support in nginx.

* gnu/packages/web.scm: Add nginx-http3.

Change-Id: I05348d57d5fcd4be661c3500b186df5e05f24160
---
 gnu/packages/web.scm | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index cab378e582..b4b33fa2f4 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -123,6 +123,7 @@ (define-module (gnu packages web)
   #:use-module (gnu packages build-tools)
   #:use-module (gnu packages certs)
   #:use-module (gnu packages check)
+  #:use-module (gnu packages cmake)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cpp)
   #:use-module (gnu packages crates-crypto)
@@ -712,6 +713,49 @@ (define-public nginx-documentation
        "This package provides HTML documentation for the nginx web server.")
       (license license:bsd-2))))
 
+(define-public nginx-http3
+  (let* ((boringssl-commit "864a235afcf4d2575b1eab8de96fbf0d84f6cda9")
+         (boringssl (origin
+                      (method git-fetch)
+                      (uri
+                        (git-reference
+                          (url "https://boringssl.googlesource.com/boringssl")
+                          (commit boringssl-commit)))
+                      (file-name (git-file-name "boringssl" boringssl-commit))
+                      (sha256 (base32 "0ayd3519zyrwn9ccmlch3j7qvkg80az7z278n2vhrrl977dakyny")))))
+    (package
+      (inherit nginx)
+      (name "nginx-http3")
+      (inputs
+        (modify-inputs (package-inputs nginx)
+          (replace "openssl" boringssl)))
+      (native-inputs
+        (modify-inputs (package-native-inputs nginx)
+          (append cmake-minimal)))
+      (arguments
+        (substitute-keyword-arguments (package-arguments nginx)
+          ((#:phases phases #~(list))
+           #~(modify-phases #$phases
+               (add-before 'configure 'build-boringssl
+                 (lambda* (#:key inputs parallel-build? #:allow-other-keys)
+                   (mkdir-p "boringssl-build")
+                   (let ((boringssl-build-dir (string-append (getcwd) "/boringssl-build")))
+                     (with-directory-excursion (assoc-ref inputs "openssl")
+                       (invoke "cmake" (string-append "-B" boringssl-build-dir)
+                               "-DCMAKE_BUILD_TYPE=RelWithDebInfo")
+                       (invoke "make" "-C" boringssl-build-dir
+                         (string-append "-j"
+                           (if parallel-build?
+                               (number->string (parallel-job-count))
+                               "1")))))))))
+
+          ((#:configure-flags flags #~(list))
+           #~(cons* "--with-http_v3_module"
+                    (string-append "--with-cc-opt=-I"
+                      (assoc-ref %build-inputs "openssl") "/include")
+                    (string-append "--with-ld-opt=-Lboringssl-build -lstdc++")
+                    #$flags)))))))
+
 (define-public nginx-accept-language-module
   ;; Upstream has never made a release; use current commit instead.
   (let ((commit "2f69842f83dac77f7d98b41a2b31b13b87aeaba7")
-- 
2.49.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.