All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [git commit] package/lighttpd: security bump to version 1.4.64
@ 2022-01-22 22:26 Yann E. MORIN
  0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2022-01-22 22:26 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=e043719c9747cf3a62780827deae5c08a5c7553f
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Fix CVE-2022-22707: In lighttpd 1.4.46 through 1.4.63, the
mod_extforward_Forwarded function of the mod_extforward plugin has a
stack-based buffer overflow (4 bytes representing -1), as demonstrated
by remote denial of service (daemon crash) in a non-default
configuration. The non-default configuration requires handling of the
Forwarded header in a somewhat unusual manner. Also, a 32-bit system is
much more likely to be affected than a 64-bit system.

gdbm, geoip and memcached options have been dropped with
https://github.com/lighttpd/lighttpd1.4/commit/86c2d3093686c4f945086c90af9b8a7900925b6b

https://www.lighttpd.net/2022/1/19/1.4.64/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/lighttpd/lighttpd.hash | 4 ++--
 package/lighttpd/lighttpd.mk   | 5 +----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/package/lighttpd/lighttpd.hash b/package/lighttpd/lighttpd.hash
index 7601745fd7..ce026b9b4a 100644
--- a/package/lighttpd/lighttpd.hash
+++ b/package/lighttpd/lighttpd.hash
@@ -1,4 +1,4 @@
-# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.sha256sum
-sha256  2aef7f0102ebf54a1241a1c3ea8976892f8684bfb21697c9fffb8de0e2d6eab9  lighttpd-1.4.63.tar.xz
+# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.sha512sum
+sha512  8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936  lighttpd-1.4.64.tar.xz
 # Locally calculated
 sha256  5c98cad2fbaf5c5e2562bcbab401a7c557c1bb1bac9914ecc63730925052fb13  COPYING
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 5d53767263..f0974dd5b2 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 LIGHTTPD_VERSION_MAJOR = 1.4
-LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).63
+LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).64
 LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
 LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
 LIGHTTPD_LICENSE = BSD-3-Clause
@@ -16,8 +16,6 @@ LIGHTTPD_CONF_OPTS = \
 	-Dwith_brotli=false \
 	-Dwith_dbi=false \
 	-Dwith_fam=false \
-	-Dwith_gdbm=false \
-	-Dwith_geoip=false \
 	-Dwith_gnutls=false \
 	-Dwith_krb5=false \
 	-Dwith_ldap=false \
@@ -25,7 +23,6 @@ LIGHTTPD_CONF_OPTS = \
 	-Dwith_libunwind=false \
 	-Dwith_maxminddb=false \
 	-Dwith_mbedtls=false \
-	-Dwith_memcached=false \
 	-Dwith_mysql=false \
 	-Dwith_nettle=false \
 	-Dwith_nss=false \
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2022-01-22 22:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-22 22:26 [Buildroot] [git commit] package/lighttpd: security bump to version 1.4.64 Yann E. MORIN

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.