* [Buildroot] [git commit] package/lighttpd: security bump to version 1.4.64
@ 2022-01-22 22:26 Yann E. MORIN
0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2022-01-22 22:26 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=e043719c9747cf3a62780827deae5c08a5c7553f
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fix CVE-2022-22707: In lighttpd 1.4.46 through 1.4.63, the
mod_extforward_Forwarded function of the mod_extforward plugin has a
stack-based buffer overflow (4 bytes representing -1), as demonstrated
by remote denial of service (daemon crash) in a non-default
configuration. The non-default configuration requires handling of the
Forwarded header in a somewhat unusual manner. Also, a 32-bit system is
much more likely to be affected than a 64-bit system.
gdbm, geoip and memcached options have been dropped with
https://github.com/lighttpd/lighttpd1.4/commit/86c2d3093686c4f945086c90af9b8a7900925b6b
https://www.lighttpd.net/2022/1/19/1.4.64/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
package/lighttpd/lighttpd.hash | 4 ++--
package/lighttpd/lighttpd.mk | 5 +----
2 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/package/lighttpd/lighttpd.hash b/package/lighttpd/lighttpd.hash
index 7601745fd7..ce026b9b4a 100644
--- a/package/lighttpd/lighttpd.hash
+++ b/package/lighttpd/lighttpd.hash
@@ -1,4 +1,4 @@
-# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.sha256sum
-sha256 2aef7f0102ebf54a1241a1c3ea8976892f8684bfb21697c9fffb8de0e2d6eab9 lighttpd-1.4.63.tar.xz
+# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.sha512sum
+sha512 8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936 lighttpd-1.4.64.tar.xz
# Locally calculated
sha256 5c98cad2fbaf5c5e2562bcbab401a7c557c1bb1bac9914ecc63730925052fb13 COPYING
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 5d53767263..f0974dd5b2 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -5,7 +5,7 @@
################################################################################
LIGHTTPD_VERSION_MAJOR = 1.4
-LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).63
+LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).64
LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3-Clause
@@ -16,8 +16,6 @@ LIGHTTPD_CONF_OPTS = \
-Dwith_brotli=false \
-Dwith_dbi=false \
-Dwith_fam=false \
- -Dwith_gdbm=false \
- -Dwith_geoip=false \
-Dwith_gnutls=false \
-Dwith_krb5=false \
-Dwith_ldap=false \
@@ -25,7 +23,6 @@ LIGHTTPD_CONF_OPTS = \
-Dwith_libunwind=false \
-Dwith_maxminddb=false \
-Dwith_mbedtls=false \
- -Dwith_memcached=false \
-Dwith_mysql=false \
-Dwith_nettle=false \
-Dwith_nss=false \
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-01-22 22:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-22 22:26 [Buildroot] [git commit] package/lighttpd: security bump to version 1.4.64 Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.