From: Landry Breuil <landry@openbsd.org>
Subject: nginx 1.28.1
To: ports@openbsd.org, robert@openbsd.org
Date: Wed, 24 Dec 2025 09:42:41 +0100

hi,

update for nginx, released yesterday, folds in the smtp fix
for CVE-2025-53859 that was already in patches.

cf http://nginx.org/en/CHANGES-1.28

ok ?
? nginx-1.18.0.diff
? nginx-mjs.diff
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/nginx/Makefile,v
diff -u -r1.197 Makefile
--- Makefile	1 Nov 2025 11:16:43 -0000	1.197
+++ Makefile	24 Dec 2025 08:40:39 -0000
@@ -19,10 +19,7 @@
 COMMENT-stream=		nginx TCP/UDP proxy module
 COMMENT-xslt=		nginx XSLT filter module
 
-VERSION=	1.28.0
-REVISION=	2
-REVISION-mailproxy=	3
-REVISION-njs=	4
+VERSION=	1.28.1
 DISTNAME=	nginx-${VERSION}
 CATEGORIES=	www
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/nginx/distinfo,v
diff -u -r1.93 distinfo
--- distinfo	24 Jul 2025 23:20:36 -0000	1.93
+++ distinfo	24 Dec 2025 08:40:39 -0000
@@ -4,7 +4,7 @@
 SHA256 (leev-ngx_http_geoip2_module-3.4.tar.gz) = rXL8IzSNcVozCZSYRTH6ubNgbhYEgyNnN/mkppV9lFI=
 SHA256 (nbs-system-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.gz) = 2+IXdBFFfxy6mO5Gc84xh2mUrQa9zl7MDuZjhO8OQg4=
 SHA256 (nginx-1.20.1-chroot.patch) = SS1TB0j8N4/dn5pUTGT6WvkN3aAUuKz5+R0Nt+MG0gk=
-SHA256 (nginx-1.28.0.tar.gz) = xrXGsIbA3508o/9eCEwdDvkJ5gOCecccHD6YX1dv92o=
+SHA256 (nginx-1.28.1.tar.gz) = QOegkW0SHokF71Dypzi2dVmeQrIiSlgt2ThgP+0VeI4=
 SHA256 (nginx-modules-ngx_http_hmac_secure_link_module-48c4625fbbf51ed5a95bfec23fa444f6c3702e50.tar.gz) = ZXpA2rODS1enIREzlD1OqWwpWcv3NOUXH4eUOgOAmqg=
 SHA256 (nginx-njs-0.9.1.tar.gz) = YTZe6mnGhi/IpbXfUxUDrklJn2vNWvkySWuEhQooJKQ=
 SHA256 (openresty-headers-more-nginx-module-v0.34.tar.gz) = DA0s7SzolbP0XrKyMM2QUIqyp3MpnxU94UpD5EwSCbM=
@@ -17,7 +17,7 @@
 SIZE (leev-ngx_http_geoip2_module-3.4.tar.gz) = 8877
 SIZE (nbs-system-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.gz) = 237272
 SIZE (nginx-1.20.1-chroot.patch) = 8783
-SIZE (nginx-1.28.0.tar.gz) = 1280111
+SIZE (nginx-1.28.1.tar.gz) = 1282057
 SIZE (nginx-modules-ngx_http_hmac_secure_link_module-48c4625fbbf51ed5a95bfec23fa444f6c3702e50.tar.gz) = 6159
 SIZE (nginx-njs-0.9.1.tar.gz) = 966480
 SIZE (openresty-headers-more-nginx-module-v0.34.tar.gz) = 28827
Index: patches/patch-src_mail_ngx_mail_handler_c
===================================================================
RCS file: patches/patch-src_mail_ngx_mail_handler_c
diff -N patches/patch-src_mail_ngx_mail_handler_c
--- patches/patch-src_mail_ngx_mail_handler_c	19 Aug 2025 11:16:17 -0000	1.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,127 +0,0 @@
-https://nginx.org/download/patch.2025.smtp.txt
-
-Index: src/mail/ngx_mail_handler.c
---- src/mail/ngx_mail_handler.c.orig
-+++ src/mail/ngx_mail_handler.c
-@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_conn
- ngx_int_t
- ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
- {
--    u_char     *p, *last;
-+    u_char     *p, *pos, *last;
-     ngx_str_t  *arg, plain;
- 
-     arg = s->args.elts;
-@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connect
-         return NGX_MAIL_PARSE_INVALID_COMMAND;
-     }
- 
--    s->login.data = p;
-+    pos = p;
- 
-     while (p < last && *p) { p++; }
- 
-@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connect
-         return NGX_MAIL_PARSE_INVALID_COMMAND;
-     }
- 
--    s->login.len = p++ - s->login.data;
-+    s->login.len = p++ - pos;
-+    s->login.data = pos;
- 
-     s->passwd.len = last - p;
-     s->passwd.data = p;
-@@ -583,24 +584,26 @@ ngx_int_t
- ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
-     ngx_uint_t n)
- {
--    ngx_str_t  *arg;
-+    ngx_str_t  *arg, login;
- 
-     arg = s->args.elts;
- 
-     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
-                    "mail auth login username: \"%V\"", &arg[n]);
- 
--    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
--    if (s->login.data == NULL) {
-+    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
-+    if (login.data == NULL) {
-         return NGX_ERROR;
-     }
- 
--    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
-+    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
-         ngx_log_error(NGX_LOG_INFO, c->log, 0,
-             "client sent invalid base64 encoding in AUTH LOGIN command");
-         return NGX_MAIL_PARSE_INVALID_COMMAND;
-     }
- 
-+    s->login = login;
-+
-     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
-                    "mail auth login username: \"%V\"", &s->login);
- 
-@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ng
- ngx_int_t
- ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
- {
--    ngx_str_t  *arg;
-+    ngx_str_t  *arg, passwd;
- 
-     arg = s->args.elts;
- 
-@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ng
-                    "mail auth login password: \"%V\"", &arg[0]);
- #endif
- 
--    s->passwd.data = ngx_pnalloc(c->pool,
--                                 ngx_base64_decoded_length(arg[0].len));
--    if (s->passwd.data == NULL) {
-+    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
-+    if (passwd.data == NULL) {
-         return NGX_ERROR;
-     }
- 
--    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
-+    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
-         ngx_log_error(NGX_LOG_INFO, c->log, 0,
-             "client sent invalid base64 encoding in AUTH LOGIN command");
-         return NGX_MAIL_PARSE_INVALID_COMMAND;
-     }
- 
-+    s->passwd = passwd;
-+
- #if (NGX_DEBUG_MAIL_PASSWD)
-     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
-                    "mail auth login password: \"%V\"", &s->passwd);
-@@ -674,23 +678,25 @@ ngx_int_t
- ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
- {
-     u_char     *p, *last;
--    ngx_str_t  *arg;
-+    ngx_str_t  *arg, login;
- 
-     arg = s->args.elts;
- 
-     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
-                    "mail auth cram-md5: \"%V\"", &arg[0]);
- 
--    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
--    if (s->login.data == NULL) {
-+    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
-+    if (login.data == NULL) {
-         return NGX_ERROR;
-     }
- 
--    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
-+    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
-         ngx_log_error(NGX_LOG_INFO, c->log, 0,
-             "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
-         return NGX_MAIL_PARSE_INVALID_COMMAND;
-     }
-+
-+    s->login = login;
- 
-     p = s->login.data;
-     last = p + s->login.len;