Fix CVE-2021-33193: A crafted method sent through HTTP/2 will bypass
validation and be forwarded by mod_proxy, which can lead to request
splitting or cache poisoning. This issue affects Apache HTTP Server
2.4.17 to 2.4.48.
https://github.com/apache/httpd/blob/2.4.49/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Support for apache is added by the services/apache module in the
SELinux refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
APACHE_FIXUP_APR_LIBTOOL tweaks files for per package directory build.
This is typically the kind of operation expected to be in
post-prepare hook.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Latest version of Apache introduce a new apxs with a slightly modified
path handling logic. In order to simplify the crosscompilation, the
software removes the common prefix from bin install dir and build
install dir, but for this to work they both should have a common prefix.
So we introduce a new regexp to fix /usr/bin to staging dir, the regexps
are also fixed to replace only the exact path between double quotes, to
avoid replacing the she-bang line.
Fixes:
http://autobuild.buildroot.net/results/c41f31566974209897a3a1ec35afe2536fb248cchttp://autobuild.buildroot.net/results/b93f19976ce96e79ea159c25ed74a7377c78f334
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998@free.fr:
- add the last few words about the she-bang blurb
- do not use quotes in the existing /sur/bin regexp
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The original pattern for creating the pid file was:
open_create(pid_file)
write(pid_file, pid)
close(pid_file)
But if a power outage occurs between open_create and write, the file will
be empty and httpd will refuse to start afterwards unless the corrupt pid
file is removed.
This patch uses the pattern:
open_create(temp_pid_file)
write(temp_pid_file)
close(temp_pid_file)
rename(temp_pid_file, pid_file)
which is guaranteed to be atomic, provided that temp_pid_file and pid_file
are located in the same file system, which this patch does by creating
a temporary file name with the pattern:
pid_file_name + random_suffix
Patch is upstream as of
dd10a9352e,
which will be in the next 2.5.x version.
Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
[Thomas: update to use upstreamed patch.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
*) SECURITY: CVE-2020-1934 (cve.mitre.org)
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
server. [Eric Covener]
*) SECURITY: CVE-2020-1927 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
The LICENSE file has been updated to fix a s/waranties/warranties/ typo, so
update the hash to match and adjust the spacing to match recent agreements:
-This software is provided "as is" and any express or implied waranties,
+This software is provided "as is" and any express or implied warranties,
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When APR_INCLUDEDIR and APU_INCLUDEDIR point to the same directory,
Apache builds properly. However, with per-package directory support,
they point to different directories, and APU_INCLUDEDIR contains both
the APR headers and the APU headers.
Due to this, the Apache Makefile logic to generate its exports.c file
leads to duplicate definitions, because the APR headers are considered
twice: once from APR_INCLUDEDIR, once from APU_INCLUDEDIR.
We fix this by introducing a patch to the Apache build system.
In addition, apr provides a special libtool script that gets used by
apr-util and apache. apr-util already had a fixup for this, but apache
did not, which was causing the gcc from apr-util per-package
directories be used during the apache build, causing build failures.
To fix this, we adjust this libtool script to point to the correct
tools in apache's per-package directories.
There are no autobuilder failures for this, because Apache needs
apr-util, and apr-util currently fails to build when
BR2_PER_PACKAGE_DIRECTORIES=y.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All the packages in this list have the following properties
* units are provided by buildroot in the package directory
* the SYSTEMD_INSTALL_INIT_HOOK is exactly equivalent to what the
[Install] section of the unit does
The fix removes the soflinking in the .mk file
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security vulnerabilities:
*) SECURITY: CVE-2019-0197 (cve.mitre.org)
mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
request from http/1.1 to http/2 that was not the first request on a
connection could lead to a misconfiguration and crash. Servers that
never enabled the h2 protocol or only enabled it for https: and
did not set "H2Upgrade on" are unaffected by this issue.
[Stefan Eissing]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0211 (cve.mitre.org)
MPMs unix: Fix a local priviledge escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the priviledged main
process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0217 (cve.mitre.org)
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
*) SECURITY: CVE-2019-0215 (cve.mitre.org)
mod_ssl: Fix access control bypass for per-location/per-dir client
certificate verification in TLSv1.3.
*) SECURITY: CVE-2019-0220 (cve.mitre.org)
Merge consecutive slashes in URL's. Opt-out with
`MergeSlashes OFF`. [Eric Covener]
For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.38
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sysv init script is just a wrapper to apachectl
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch suggested by Thomas: Adding a path to --with-lua disables
pkgconf-based detection of lua, which in some cases needs libdl.
This patch removes --with-lua which fixes
http://autobuild.buildroot.net/results/cc1/cc13f4cef9cf6f18615d58f1d83b233812f19fa0/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix for CVE-2017-9798 is included in this release, so this patch is
removed.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Update commit log: not a security bump]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes the following security issues:
CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being bypassed.
CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
CVE-2017-7659: A maliciously constructed HTTP/2 request could cause
mod_http2 to dereference a NULL pointer and crash the server process.
CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32
and 2.4.24 introduced a bug in token list parsing, which allows
ap_find_token() to search past the end of its input string. By maliciously
crafting a sequence of request headers, an attacker may be able to cause a
segmentation fault, or to force ap_find_token() to return an incorrect
value.
CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
mod_mime can read one byte past the end of a buffer when sending a malicious
Content-Type response header.
While we're at it, use the upstream sha256 checksum instead of sha1.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The check-package script when ran gives warnings on text wrapping on all
of these Config files. This patch cleans up all warnings related to the
text wrapping for the Config files starting with the letter a in the
package directory.
The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The check-package script when ran gives warnings on ordering issues
on all of these Config files. This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter a in the package directory.
The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
MPM can be selected between event, prefork or worker
Set worker as the default one as it was before even if event MPM is
better on system supporting thread safe polling
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since the apache package was introduced,
--enable-nonportable-atomics=yes was passed when
BR2_ARCH_HAS_ATOMICS. However, Apache doesn't take this option: it
only passes it down when building the APR library. But since we're
building APR separately, this statement had no effect.
So this commit removes the useless code from the Apache package, and
instead adds the appropriate logic to the apr package, using the new
BR2_TOOLCHAIN_HAS_SYNC_x symbols rather than BR2_ARCH_HAS_ATOMICS.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas:
- Don't explicitly pass CC_FOR_BUILD and CFLAGS_FOR_BUILD, those are
already part of the default environment passed by the
autotools-package infrastructure.
- Explicitly disable Lua and LuaJIT support to avoid mis-detection of
host installation.
- Explicitly handle the optional support of libxml2, OpenSSL and
zlib. Especially, the absence of explicit handling for libxml2 was
causing a build failure due to the host libxml2 being detected.
- Remove /usr/manual and /usr/build from the target. This saves 20+
MB of target space.]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>