* [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51
@ 2018-10-30 10:21 Peter Korsgaard
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-10-30 10:21 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
1.4.50:
[mod_alias] security: potential path traversal with specific configs
[core] security: use-after-free invalid Range req
[mod_alias] security: path traversal in mod_alias (in some use cases) (fixes #2898)
[core] security: use-after-free after invalid Range request (fixes #2899)
1.4.51:
[core,security] process headers after combining folded headers
[mod_userdir] security: skip username ?.? and ?..?
1.4.51 brings optional pam and wolfssl support. Explicitly disable these
options for now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/lighttpd/lighttpd.hash | 4 ++--
package/lighttpd/lighttpd.mk | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/lighttpd/lighttpd.hash b/package/lighttpd/lighttpd.hash
index c99e240c7b..0829c6b4c9 100644
--- a/package/lighttpd/lighttpd.hash
+++ b/package/lighttpd/lighttpd.hash
@@ -1,4 +1,4 @@
-# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.49.sha256sum
-sha256 aedf49d7127d9e4c0ea56618e9e945a17674dc46a37ac7990120f87dd939ce09 lighttpd-1.4.49.tar.xz
+# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.51.sha256sum
+sha256 2af9fdb265d1f025bfa634e13770239712ecbd585e4975b8226edf1df74e9c82 lighttpd-1.4.51.tar.xz
# Locally calculated
sha256 5c98cad2fbaf5c5e2562bcbab401a7c557c1bb1bac9914ecc63730925052fb13 COPYING
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 06561e9f55..44bee6f90f 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -5,13 +5,15 @@
################################################################################
LIGHTTPD_VERSION_MAJOR = 1.4
-LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).49
+LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).51
LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3-Clause
LIGHTTPD_LICENSE_FILES = COPYING
LIGHTTPD_DEPENDENCIES = host-pkgconf
LIGHTTPD_CONF_OPTS = \
+ --without-pam \
+ --without-wolfssl \
--libdir=/usr/lib/lighttpd \
--libexecdir=/usr/lib
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 2/2] lighttpd: add optional pam support
2018-10-30 10:21 [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
@ 2018-10-30 10:21 ` Peter Korsgaard
2018-10-30 11:38 ` Baruch Siach
` (2 more replies)
2018-10-30 20:04 ` [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
2018-11-13 23:11 ` Peter Korsgaard
2 siblings, 3 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-10-30 10:21 UTC (permalink / raw)
To: buildroot
Let the option depend on linux-pam as pam has quite some dependencies and
this is unlikely to be used if pam isn't explicitly enabled.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/lighttpd/Config.in | 7 +++++++
package/lighttpd/lighttpd.mk | 8 +++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/package/lighttpd/Config.in b/package/lighttpd/Config.in
index 383c10f70f..0f37422aea 100644
--- a/package/lighttpd/Config.in
+++ b/package/lighttpd/Config.in
@@ -26,6 +26,13 @@ config BR2_PACKAGE_LIGHTTPD_OPENSSL
help
Enable OpenSSL support for lighttpd.
+config BR2_PACKAGE_LIGHTTPD_PAM
+ bool "pam authentication support"
+ depends on BR2_PACKAGE_LINUX_PAM
+ default y
+ help
+ Enable PAM authentication support for lighttpd.
+
config BR2_PACKAGE_LIGHTTPD_ZLIB
bool "zlib support"
select BR2_PACKAGE_ZLIB
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 44bee6f90f..d8f64dc7e8 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -12,7 +12,6 @@ LIGHTTPD_LICENSE = BSD-3-Clause
LIGHTTPD_LICENSE_FILES = COPYING
LIGHTTPD_DEPENDENCIES = host-pkgconf
LIGHTTPD_CONF_OPTS = \
- --without-pam \
--without-wolfssl \
--libdir=/usr/lib/lighttpd \
--libexecdir=/usr/lib
@@ -24,6 +23,13 @@ else
LIGHTTPD_CONF_OPTS += --without-openssl
endif
+ifeq ($(BR2_PACKAGE_LIGHTTPD_PAM),y)
+LIGHTTPD_DEPENDENCIES += linux-pam
+LIGHTTPD_CONF_OPTS += --with-pam
+else
+LIGHTTPD_CONF_OPTS += --without-pam
+endif
+
ifeq ($(BR2_PACKAGE_LIGHTTPD_ZLIB),y)
LIGHTTPD_DEPENDENCIES += zlib
LIGHTTPD_CONF_OPTS += --with-zlib
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 2/2] lighttpd: add optional pam support
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
@ 2018-10-30 11:38 ` Baruch Siach
2018-10-30 13:49 ` Peter Korsgaard
2018-10-30 12:43 ` Matthew Weber
2018-10-31 9:24 ` Thomas Petazzoni
2 siblings, 1 reply; 8+ messages in thread
From: Baruch Siach @ 2018-10-30 11:38 UTC (permalink / raw)
To: buildroot
Hi Peter,
Peter Korsgaard writes:
> Let the option depend on linux-pam as pam has quite some dependencies and
> this is unlikely to be used if pam isn't explicitly enabled.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/lighttpd/Config.in | 7 +++++++
> package/lighttpd/lighttpd.mk | 8 +++++++-
> 2 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/package/lighttpd/Config.in b/package/lighttpd/Config.in
> index 383c10f70f..0f37422aea 100644
> --- a/package/lighttpd/Config.in
> +++ b/package/lighttpd/Config.in
> @@ -26,6 +26,13 @@ config BR2_PACKAGE_LIGHTTPD_OPENSSL
> help
> Enable OpenSSL support for lighttpd.
>
> +config BR2_PACKAGE_LIGHTTPD_PAM
> + bool "pam authentication support"
> + depends on BR2_PACKAGE_LINUX_PAM
> + default y
> + help
> + Enable PAM authentication support for lighttpd.
> +
Why do we need a config option? What is the size impact of the lighttpd
PAM support?
baruch
> config BR2_PACKAGE_LIGHTTPD_ZLIB
> bool "zlib support"
> select BR2_PACKAGE_ZLIB
> diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
> index 44bee6f90f..d8f64dc7e8 100644
> --- a/package/lighttpd/lighttpd.mk
> +++ b/package/lighttpd/lighttpd.mk
> @@ -12,7 +12,6 @@ LIGHTTPD_LICENSE = BSD-3-Clause
> LIGHTTPD_LICENSE_FILES = COPYING
> LIGHTTPD_DEPENDENCIES = host-pkgconf
> LIGHTTPD_CONF_OPTS = \
> - --without-pam \
> --without-wolfssl \
> --libdir=/usr/lib/lighttpd \
> --libexecdir=/usr/lib
> @@ -24,6 +23,13 @@ else
> LIGHTTPD_CONF_OPTS += --without-openssl
> endif
>
> +ifeq ($(BR2_PACKAGE_LIGHTTPD_PAM),y)
> +LIGHTTPD_DEPENDENCIES += linux-pam
> +LIGHTTPD_CONF_OPTS += --with-pam
> +else
> +LIGHTTPD_CONF_OPTS += --without-pam
> +endif
> +
> ifeq ($(BR2_PACKAGE_LIGHTTPD_ZLIB),y)
> LIGHTTPD_DEPENDENCIES += zlib
> LIGHTTPD_CONF_OPTS += --with-zlib
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 2/2] lighttpd: add optional pam support
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
2018-10-30 11:38 ` Baruch Siach
@ 2018-10-30 12:43 ` Matthew Weber
2018-10-31 9:24 ` Thomas Petazzoni
2 siblings, 0 replies; 8+ messages in thread
From: Matthew Weber @ 2018-10-30 12:43 UTC (permalink / raw)
To: buildroot
Peter,
On Tue, Oct 30, 2018 at 5:22 AM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> Let the option depend on linux-pam as pam has quite some dependencies and
> this is unlikely to be used if pam isn't explicitly enabled.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/lighttpd/Config.in | 7 +++++++
> package/lighttpd/lighttpd.mk | 8 +++++++-
> 2 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/package/lighttpd/Config.in b/package/lighttpd/Config.in
> index 383c10f70f..0f37422aea 100644
> --- a/package/lighttpd/Config.in
> +++ b/package/lighttpd/Config.in
> @@ -26,6 +26,13 @@ config BR2_PACKAGE_LIGHTTPD_OPENSSL
> help
> Enable OpenSSL support for lighttpd.
>
> +config BR2_PACKAGE_LIGHTTPD_PAM
> + bool "pam authentication support"
> + depends on BR2_PACKAGE_LINUX_PAM
> + default y
> + help
> + Enable PAM authentication support for lighttpd.
> +
> config BR2_PACKAGE_LIGHTTPD_ZLIB
> bool "zlib support"
> select BR2_PACKAGE_ZLIB
> diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
> index 44bee6f90f..d8f64dc7e8 100644
> --- a/package/lighttpd/lighttpd.mk
> +++ b/package/lighttpd/lighttpd.mk
> @@ -12,7 +12,6 @@ LIGHTTPD_LICENSE = BSD-3-Clause
> LIGHTTPD_LICENSE_FILES = COPYING
> LIGHTTPD_DEPENDENCIES = host-pkgconf
> LIGHTTPD_CONF_OPTS = \
> - --without-pam \
> --without-wolfssl \
> --libdir=/usr/lib/lighttpd \
> --libexecdir=/usr/lib
> @@ -24,6 +23,13 @@ else
> LIGHTTPD_CONF_OPTS += --without-openssl
> endif
>
> +ifeq ($(BR2_PACKAGE_LIGHTTPD_PAM),y)
> +LIGHTTPD_DEPENDENCIES += linux-pam
> +LIGHTTPD_CONF_OPTS += --with-pam
> +else
> +LIGHTTPD_CONF_OPTS += --without-pam
> +endif
On the same note as Baruch, I dug through the code a bit and it looks
like enabling it just adds the mod_auth_pam support. However a
configuration file still needs to call out using that support. So it
looks like from a compatibility to old target builds perspective, this
can be enabled if PAM is present without any impact.
Matt
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 2/2] lighttpd: add optional pam support
2018-10-30 11:38 ` Baruch Siach
@ 2018-10-30 13:49 ` Peter Korsgaard
0 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-10-30 13:49 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Hi Peter,
> Peter Korsgaard writes:
>> Let the option depend on linux-pam as pam has quite some dependencies and
>> this is unlikely to be used if pam isn't explicitly enabled.
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>> ---
>> package/lighttpd/Config.in | 7 +++++++
>> package/lighttpd/lighttpd.mk | 8 +++++++-
>> 2 files changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/package/lighttpd/Config.in b/package/lighttpd/Config.in
>> index 383c10f70f..0f37422aea 100644
>> --- a/package/lighttpd/Config.in
>> +++ b/package/lighttpd/Config.in
>> @@ -26,6 +26,13 @@ config BR2_PACKAGE_LIGHTTPD_OPENSSL
>> help
>> Enable OpenSSL support for lighttpd.
>>
>> +config BR2_PACKAGE_LIGHTTPD_PAM
>> + bool "pam authentication support"
>> + depends on BR2_PACKAGE_LINUX_PAM
>> + default y
>> + help
>> + Enable PAM authentication support for lighttpd.
>> +
> Why do we need a config option? What is the size impact of the lighttpd
> PAM support?
Just for consistency with the other BR2_PACKAGE_LIGHTTPD_* options. I
would also prefer to use automatic dependencies like we do elsewhere,
but as we are explicitly handling the other optional dependencies it
seemed more sensible to do it for pam as well.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51
2018-10-30 10:21 [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
@ 2018-10-30 20:04 ` Peter Korsgaard
2018-11-13 23:11 ` Peter Korsgaard
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-10-30 20:04 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> 1.4.50:
> [mod_alias] security: potential path traversal with specific configs
> [core] security: use-after-free invalid Range req
> [mod_alias] security: path traversal in mod_alias (in some use cases) (fixes #2898)
> [core] security: use-after-free after invalid Range request (fixes #2899)
> 1.4.51:
> [core,security] process headers after combining folded headers
> [mod_userdir] security: skip username ?.? and ?..?
> 1.4.51 brings optional pam and wolfssl support. Explicitly disable these
> options for now.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 2/2] lighttpd: add optional pam support
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
2018-10-30 11:38 ` Baruch Siach
2018-10-30 12:43 ` Matthew Weber
@ 2018-10-31 9:24 ` Thomas Petazzoni
2 siblings, 0 replies; 8+ messages in thread
From: Thomas Petazzoni @ 2018-10-31 9:24 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 30 Oct 2018 11:21:52 +0100, Peter Korsgaard wrote:
> Let the option depend on linux-pam as pam has quite some dependencies and
> this is unlikely to be used if pam isn't explicitly enabled.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/lighttpd/Config.in | 7 +++++++
> package/lighttpd/lighttpd.mk | 8 +++++++-
> 2 files changed, 14 insertions(+), 1 deletion(-)
Applied to master, thanks.
Baruch: I indeed agree that automatic dependency handling could be used
here, but Peter has a point that lighttpd doesn't do that today for
other dependencies. So for consistency, it made sense to do the same
for the linux-pam dependency as well.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51
2018-10-30 10:21 [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
2018-10-30 20:04 ` [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
@ 2018-11-13 23:11 ` Peter Korsgaard
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-11-13 23:11 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> 1.4.50:
> [mod_alias] security: potential path traversal with specific configs
> [core] security: use-after-free invalid Range req
> [mod_alias] security: path traversal in mod_alias (in some use cases) (fixes #2898)
> [core] security: use-after-free after invalid Range request (fixes #2899)
> 1.4.51:
> [core,security] process headers after combining folded headers
> [mod_userdir] security: skip username ?.? and ?..?
> 1.4.51 brings optional pam and wolfssl support. Explicitly disable these
> options for now.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2018.02.x and 2018.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-11-13 23:11 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-30 10:21 [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
2018-10-30 11:38 ` Baruch Siach
2018-10-30 13:49 ` Peter Korsgaard
2018-10-30 12:43 ` Matthew Weber
2018-10-31 9:24 ` Thomas Petazzoni
2018-10-30 20:04 ` [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
2018-11-13 23:11 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.