All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-webserver][PATCH] apache2: update to version 2.4.25
@ 2016-12-21 23:38 Derek Straka
  2017-01-11 13:52 ` Brian Hutchinson
  0 siblings, 1 reply; 3+ messages in thread
From: Derek Straka @ 2016-12-21 23:38 UTC (permalink / raw)
  To: openembedded-devel

Signed-off-by: Derek Straka <derek@asterius.io>
---
 ...2-native_2.4.23.bb => apache2-native_2.4.25.bb} |  4 ++--
 .../apache2/apache2/cve-2016-5387.patch            | 25 ----------------------
 .../{apache2_2.4.23.bb => apache2_2.4.25.bb}       |  5 ++---
 3 files changed, 4 insertions(+), 30 deletions(-)
 rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.23.bb => apache2-native_2.4.25.bb} (91%)
 delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
 rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.23.bb => apache2_2.4.25.bb} (97%)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb
similarity index 91%
rename from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb
rename to meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb
index b227f19..ca8ebaf 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb
@@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
 S = "${WORKDIR}/httpd-${PV}"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
-SRC_URI[md5sum] = "04f19c60e810c028f5240a062668a688"
-SRC_URI[sha256sum] = "0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58"
+SRC_URI[md5sum] = "2826f49619112ad5813c0be5afcc7ddb"
+SRC_URI[sha256sum] = "f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2"
 
 EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
                 --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
deleted file mode 100644
index dbcdfc6..0000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt
-as a mitigation of CVE-2016-5387.
-
-Upstream-Status: Backport - fixed in 2.4.24
-
-Signed-off-by: Joe Slater<jslater@windriver.com>
-
-
---- a/server/util_script.c	(revision 1752426)
-+++ b/server/util_script.c	(working copy)
-@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
-         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
-             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
-         }
-+        /* HTTP_PROXY collides with a popular envvar used to configure
-+         * proxies, don't let clients set/override it.  But, if you must...
-+         */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+            ;
-+        }
-+#endif
-         /*
-          * You really don't want to disable this check, since it leaves you
-          * wide open to CGIs stealing passwords and people viewing them
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb
similarity index 97%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb
index b78ff51..3bd8579 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb
@@ -17,15 +17,14 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
            file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
            file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
            file://configure-allow-to-disable-selinux-support.patch \
-           file://cve-2016-5387.patch \
            file://init \
            file://apache2-volatile.conf \
            file://apache2.service \
           "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
-SRC_URI[md5sum] = "04f19c60e810c028f5240a062668a688"
-SRC_URI[sha256sum] = "0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58"
+SRC_URI[md5sum] = "2826f49619112ad5813c0be5afcc7ddb"
+SRC_URI[sha256sum] = "f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2"
 
 S = "${WORKDIR}/httpd-${PV}"
 
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [meta-webserver][PATCH] apache2: update to version 2.4.25
  2016-12-21 23:38 [meta-webserver][PATCH] apache2: update to version 2.4.25 Derek Straka
@ 2017-01-11 13:52 ` Brian Hutchinson
  2017-01-20 10:21   ` Olof Johansson
  0 siblings, 1 reply; 3+ messages in thread
From: Brian Hutchinson @ 2017-01-11 13:52 UTC (permalink / raw)
  To: openembedded-devel

On Wed, Dec 21, 2016 at 6:38 PM, Derek Straka <derek@asterius.io> wrote:
> Signed-off-by: Derek Straka <derek@asterius.io>
> ---
>  ...2-native_2.4.23.bb => apache2-native_2.4.25.bb} |  4 ++--
>  .../apache2/apache2/cve-2016-5387.patch            | 25 ----------------------
>  .../{apache2_2.4.23.bb => apache2_2.4.25.bb}       |  5 ++---
>  3 files changed, 4 insertions(+), 30 deletions(-)
>  rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.23.bb => apache2-native_2.4.25.bb} (91%)
>  delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
>  rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.23.bb => apache2_2.4.25.bb} (97%)
>
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb
> similarity index 91%
> rename from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb
> rename to meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb
> index b227f19..ca8ebaf 100644
> --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb
> +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb
> @@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>  S = "${WORKDIR}/httpd-${PV}"
>
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
> -SRC_URI[md5sum] = "04f19c60e810c028f5240a062668a688"
> -SRC_URI[sha256sum] = "0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58"
> +SRC_URI[md5sum] = "2826f49619112ad5813c0be5afcc7ddb"
> +SRC_URI[sha256sum] = "f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2"
>
>  EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
>                  --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
> deleted file mode 100644
> index dbcdfc6..0000000
> --- a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
> +++ /dev/null
> @@ -1,25 +0,0 @@
> -This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt
> -as a mitigation of CVE-2016-5387.
> -
> -Upstream-Status: Backport - fixed in 2.4.24
> -
> -Signed-off-by: Joe Slater<jslater@windriver.com>
> -
> -
> ---- a/server/util_script.c     (revision 1752426)
> -+++ b/server/util_script.c     (working copy)
> -@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
> -         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
> -             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
> -         }
> -+        /* HTTP_PROXY collides with a popular envvar used to configure
> -+         * proxies, don't let clients set/override it.  But, if you must...
> -+         */
> -+#ifndef SECURITY_HOLE_PASS_PROXY
> -+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
> -+            ;
> -+        }
> -+#endif
> -         /*
> -          * You really don't want to disable this check, since it leaves you
> -          * wide open to CGIs stealing passwords and people viewing them
> diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb
> similarity index 97%
> rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
> rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb
> index b78ff51..3bd8579 100644
> --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
> +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb
> @@ -17,15 +17,14 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
>             file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
>             file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
>             file://configure-allow-to-disable-selinux-support.patch \
> -           file://cve-2016-5387.patch \
>             file://init \
>             file://apache2-volatile.conf \
>             file://apache2.service \
>            "
>
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
> -SRC_URI[md5sum] = "04f19c60e810c028f5240a062668a688"
> -SRC_URI[sha256sum] = "0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58"
> +SRC_URI[md5sum] = "2826f49619112ad5813c0be5afcc7ddb"
> +SRC_URI[sha256sum] = "f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2"
>
>  S = "${WORKDIR}/httpd-${PV}"
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel


How long does it typically take for something like this to show up in
the Krogoth (2.1.2) and Morty (2.2) branch?

Just wondering because I did a fresh checked of both yesterday and
they didn't have this fix yet.

Regards,

Brian


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [meta-webserver][PATCH] apache2: update to version 2.4.25
  2017-01-11 13:52 ` Brian Hutchinson
@ 2017-01-20 10:21   ` Olof Johansson
  0 siblings, 0 replies; 3+ messages in thread
From: Olof Johansson @ 2017-01-20 10:21 UTC (permalink / raw)
  To: openembedded-devel

On 17-01-11 08:52 -0500, Brian Hutchinson wrote:
> On Wed, Dec 21, 2016 at 6:38 PM, Derek Straka <derek@asterius.io> wrote:
> >  rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.23.bb => apache2_2.4.25.bb} (97%)
> 
> How long does it typically take for something like this to show up in
> the Krogoth (2.1.2) and Morty (2.2) branch?
> 
> Just wondering because I did a fresh checked of both yesterday and
> they didn't have this fix yet.

The change bumps to a newer version (even skipping one
intermediate release). This is typically not something that would
be integrated to a stable branch (although I haven't looked
closer at the difference between the versions).

But I just sent patches for krogoth and morty to change the
SRC_URI to point to archive.apache.org instead as the 2.4.23
tarball has been moved.

If you want the later upstream version while still staying on
Krogoth/Morty, I think you'll have to make a local backport.

Hope this helps,
-- 
olofjn


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-01-20 10:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-21 23:38 [meta-webserver][PATCH] apache2: update to version 2.4.25 Derek Straka
2017-01-11 13:52 ` Brian Hutchinson
2017-01-20 10:21   ` Olof Johansson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.