Commit Graph

56 Commits

Author SHA1 Message Date
Bernd Kuhls
6d6fe258a6 package/apache: fix build with libxml2-2.12
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-12-24 18:52:43 +01:00
Fabrice Fontaine
1f6b53b1a4 package/apache: add host-pkgconf dependency
apache uses pkgconfig to find dependencies such as lua, nhgttp2, openssl
and systemd.
For openssl, pkgconfig is used since version 2.1.1 and
0d4387dedc
resulting in the following build failure since at least bump to version
2.4.54 in commit 78e5a9c40e:

ac_cv_path_PKGCONFIG=/usr/bin/pkg-config
[...]
configure:28669: checking for SSL_CTX_new
configure:28669: /home/buildroot/autobuild/instance-1/output-1/host/bin/armeb-buildroot-linux-uclibcgnueabi-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -O3 -g0  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64   -L/home/buildroot/autobuild/instance-1/output-1/host/armeb-buildroot-linux-uclibcgnueabi/sysroot/usr/bin/../../../../armeb-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -L/usr/lib conftest.c -lssl -lcrypto   -lpthread >&5
armeb-buildroot-linux-uclibcgnueabi-gcc: ERROR: unsafe header/library path used in cross-compilation: '-L/usr/lib'

Fixes:
 - http://autobuild.buildroot.org/results/d85c86ee1070582014c7b29b39f9a9f356988220
 - http://autobuild.buildroot.org/results/55d6bad8572138e200730d3a9f2dd1b9048fd95d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-11-03 20:52:17 +01:00
Bernd Kuhls
d00881cad1 package/apache: security bump version to 2.4.58
Fixes CVE-2023-31122, CVE-2023-43622 & CVE-2023-45802:
https://httpd.apache.org/security/vulnerabilities_24.html

Release notes:
https://lists.apache.org/thread/1qnr3jpk1mdnqc2c6foyjvg0ch636h1n

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-10-25 21:14:13 +02:00
Bernd Kuhls
839c0c7d7c package/apache: security bump version to 2.4.57
Release notes:
https://lists.apache.org/thread/lp9t6w2t0qsbbo14lylk2yvfj8hgfoh9

Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.57
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-05-01 09:14:18 +02:00
Bernd Kuhls
5256ec9ca8 package/apache: security bump version to 2.4.56
Release notes:
https://lists.apache.org/thread/89vkczkfkdyz65d5q59pcyzrn5ts60s6

Changelog: https://dlcdn.apache.org/httpd/CHANGES_2.4.56

Fixes CVE-2023-25690 & CVE-2023-27522:
https://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-03-09 20:38:39 +01:00
Bernd Kuhls
60d8585570 package/apache: security bump version to 2.4.55
Release notes:
https://lists.apache.org/thread/xlp3od60fjl8nl44z4f56y0lhs7pglos

Fixes CVE-2006-20001, CVE-2022-36760, CVE-2022-37436:
https://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-01-20 08:17:59 +01:00
Bernd Kuhls
78e5a9c40e package/apache: security bump version to 2.4.54
Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.54

Fixes CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615,
CVE-2022-29404, CVE-2022-30522, CVE-2022-30556 and CVE-2022-31813.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-06-14 20:10:26 +02:00
Bernd Kuhls
0eadc83b9f package/apache: add brotli as optional dependency
Fixes:
http://autobuild.buildroot.net/results/90e/90e3a2aaf0ce0451b80c71743209797abeb83d0a/
http://autobuild.buildroot.net/results/006/006f94bb216a77f073a5670fa2f393c43f15a977/
http://autobuild.buildroot.net/results/dd6/dd69e665e51ce6b30e303a4d4670e9edbb159aea/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-06-14 20:10:23 +02:00
Bernd Kuhls
eaa8fcf546 package/apache: security bump version to 2.4.53
Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.53

Fixes CVE-2022-22719, CVE-2022-22720, CVE-2022-22721 & CVE-2022-23943.

Switch from pcre to pcre2 following upstream commit:
c602ba1481

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-03-22 08:59:18 +01:00
Fabrice Fontaine
0b7c22970d package/apache: drop APACHE_FIXUP_APR_LIBTOOL
Drop APACHE_FIXUP_APR_LIBTOOL which was added by commit
b747c29c4e but is not needed since the
addition of PPD_FIXUP_PATHS in commit
b06294e989

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-02-20 10:59:22 +01:00
Peter Korsgaard
bdc3f6888f package/apache: security bump to version 2.4.52
Fixes the following security issues:

  *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.
     Credits: Chamal

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

For more details, see the changes file:
https://downloads.apache.org/httpd/CHANGES_2.4.52

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-12-23 18:37:03 +01:00
Peter Seiderer
7af7546f9a package/apache: security bump to version 2.4.51
Fixes CVE-2021-42013, for details see [1] and [2].

Change download URL from http://archive.apache.org/dist/httpd to
https://downloads.apache.org/httpd (seems more up to date).

[1] https://downloads.apache.org/httpd/CHANGES_2.4.51
[2] https://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-10-08 12:45:46 +02:00
Peter Seiderer
96464f7562 package/apache: change project URL to https
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-10-07 22:16:34 +02:00
Peter Seiderer
bb465e2f62 package/apache: security bump to version 2.4.50
Fixes CVE-2021-41524 and CVE-2021-41773, for details see [1] and [2].

[1] https://downloads.apache.org/httpd/CHANGES_2.4.50
[2] https://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-10-07 22:15:18 +02:00
Fabrice Fontaine
868367222b package/apache: security bump to version 2.4.49
Fix CVE-2021-33193: A crafted method sent through HTTP/2 will bypass
validation and be forwarded by mod_proxy, which can lead to request
splitting or cache poisoning. This issue affects Apache HTTP Server
2.4.17 to 2.4.48.

https://github.com/apache/httpd/blob/2.4.49/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-09-18 08:46:13 +02:00
Fabrice Fontaine
bd91d7826e package/apache: add SELinux module
Support for apache is added by the services/apache module in the
SELinux refpolicy.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-21 21:07:40 +02:00
Herve Codina
6bfe74433a package/apache: move APACHE_FIXUP_APR_LIBTOOL to post-prepare hook
APACHE_FIXUP_APR_LIBTOOL tweaks files for per package directory build.
This is typically the kind of operation expected to be in
post-prepare hook.

Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-07-06 22:53:26 +02:00
Bernd Kuhls
351122979b package/apache: security bump version to 2.4.48
Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.48

Fixes CVE-2021-31618:
mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]

Removed patch 0004 which is included in upstream release.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-06-02 20:06:35 +02:00
Fabrice Fontaine
4b6202f721 Replace LIBFOO_CPE_ID_NAME by LIBFOO_CPE_ID_PRODUCT
Replace LIBFOO_CPE_ID_NAME by LIBFOO_CPE_ID_PRODUCT to better "comply"
with the official "Well-Formed CPE Name Data Model" parameters:
 - https://csrc.nist.gov/publications/detail/nistir/7695/final
 - https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-21 22:43:24 +01:00
Heiko Thiery
3ee9d3ddf7 package/apache: add APACHE_CPE_ID_VENDOR and APACHE_CPE_ID_NAME
cpe:2.3🅰️apache:http_server is a valid CPE identifier for this package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aapache%3Ahttp_server

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-21 22:01:52 +01:00
Bernd Kuhls
7667418d97 package/apache: security bump version to 2.4.46
Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46

Release notes: https://downloads.apache.org/httpd/Announcement2.4.html

Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
https://httpd.apache.org/security/vulnerabilities_24.html

Added sha512 hash provided by upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr:
  - don't add md5 and sha1 hashes
  - single comment above hashes
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-07 21:22:55 +02:00
Angelo Compagnucci
aa04edab77 package/apache: fixing apxs path mangling
Latest version of Apache introduce a new apxs with a slightly modified
path handling logic. In order to simplify the crosscompilation, the
software removes the common prefix from bin install dir and build
install dir, but for this to work they both should have a common prefix.

So we introduce a new regexp to fix /usr/bin to staging dir, the regexps
are also fixed to replace only the exact path between double quotes, to
avoid replacing the she-bang line.

Fixes:
http://autobuild.buildroot.net/results/c41f31566974209897a3a1ec35afe2536fb248cc
http://autobuild.buildroot.net/results/b93f19976ce96e79ea159c25ed74a7377c78f334

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998@free.fr:
  - add the last few words about the she-bang blurb
  - do not use quotes in the existing /sur/bin regexp
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-04-24 11:29:35 +02:00
Nicolas Carrier
67fbb903b6 package/apache: atomic creation of pid file.
The original pattern for creating the pid file was:
open_create(pid_file)
write(pid_file, pid)
close(pid_file)

But if a power outage occurs between open_create and write, the file will
be empty and httpd will refuse to start afterwards unless the corrupt pid
file is removed.

This patch uses the pattern:
open_create(temp_pid_file)
write(temp_pid_file)
close(temp_pid_file)
rename(temp_pid_file, pid_file)
which is guaranteed to be atomic, provided that temp_pid_file and pid_file
are located in the same file system, which this patch does by creating
a temporary file name with the pattern:
    pid_file_name + random_suffix

Patch is upstream as of
dd10a9352e,
which will be in the next 2.5.x version.

Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
[Thomas: update to use upstreamed patch.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-04-13 11:06:09 +02:00
Peter Korsgaard
2bf40ad66b package/apache: security bump to version 2.4.43
Fixes the following security issues:

  *) SECURITY: CVE-2020-1934 (cve.mitre.org)
     mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
     server. [Eric Covener]

  *) SECURITY: CVE-2020-1927 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]

The LICENSE file has been updated to fix a s/waranties/warranties/ typo, so
update the hash to match and adjust the spacing to match recent agreements:

-This software is provided "as is" and any express or implied waranties,
+This software is provided "as is" and any express or implied warranties,

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-04-04 17:26:49 +02:00
Thomas Petazzoni
b747c29c4e package/apache: fix build with per-package directory support
When APR_INCLUDEDIR and APU_INCLUDEDIR point to the same directory,
Apache builds properly. However, with per-package directory support,
they point to different directories, and APU_INCLUDEDIR contains both
the APR headers and the APU headers.

Due to this, the Apache Makefile logic to generate its exports.c file
leads to duplicate definitions, because the APR headers are considered
twice: once from APR_INCLUDEDIR, once from APU_INCLUDEDIR.

We fix this by introducing a patch to the Apache build system.

In addition, apr provides a special libtool script that gets used by
apr-util and apache. apr-util already had a fixup for this, but apache
did not, which was causing the gcc from apr-util per-package
directories be used during the apache build, causing build failures.

To fix this, we adjust this libtool script to point to the correct
tools in apache's per-package directories.

There are no autobuilder failures for this, because Apache needs
apr-util, and apr-util currently fails to build when
BR2_PER_PACKAGE_DIRECTORIES=y.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-18 23:16:15 +01:00
Jérémy Rosen
3e092163e5 package: rely on systemctl preset-all for buildroot-provided services
All the packages in this list have the following properties
* units are provided by buildroot in the package directory
* the SYSTEMD_INSTALL_INIT_HOOK is exactly equivalent to what the
  [Install] section of the unit does

The fix removes the soflinking in the .mk file

Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2019-12-18 18:27:41 +01:00
Bernd Kuhls
2b702f73df package/apache: security bump to version 2.4.41
Release notes:
http://www.apache.org/dist/httpd/Announcement2.4.html
http://www.apache.org/dist/httpd/CHANGES_2.4.41

Fixes
CVE-2019-10081
CVE-2019-9517
CVE-2019-10098
CVE-2019-10092
CVE-2019-10097
CVE-2019-10082

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-15 15:07:10 +02:00
Peter Korsgaard
556ad6c25b package/apache: security bump to version 2.4.39
Fixes the following security vulnerabilities:

  *) SECURITY: CVE-2019-0197 (cve.mitre.org)
     mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
     host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
     request from http/1.1 to http/2 that was not the first request on a
     connection could lead to a misconfiguration and crash. Servers that
     never enabled the h2 protocol or only enabled it for https: and
     did not set "H2Upgrade on" are unaffected by this issue.
     [Stefan Eissing]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0211 (cve.mitre.org)
     MPMs unix: Fix a local priviledge escalation vulnerability by not
     maintaining each child's listener bucket number in the scoreboard,
     preventing unprivileged code like scripts run by/on the server (e.g. via
     mod_php) from modifying it persistently to abuse the priviledged main
     process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0217 (cve.mitre.org)
     mod_auth_digest: Fix a race condition checking user credentials which
     could allow a user with valid credentials to impersonate another,
     under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

  *) SECURITY: CVE-2019-0215 (cve.mitre.org)
     mod_ssl: Fix access control bypass for per-location/per-dir client
     certificate verification in TLSv1.3.

  *) SECURITY: CVE-2019-0220 (cve.mitre.org)
     Merge consecutive slashes in URL's. Opt-out with
     `MergeSlashes OFF`. [Eric Covener]

For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-03 09:24:30 +02:00
Peter Korsgaard
7675863549 package/apache: security bump to version 2.4.38
Fixes the following security vulnerabilities:

  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
     mod_session: mod_session_cookie does not respect expiry time allowing
     sessions to be reused.  [Hank Ibell]

  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
     mod_http2: fixes a DoS attack vector. By sending slow request bodies
     to resources not consuming them, httpd cleanup code occupies a server
     thread unnecessarily. This was changed to an immediate stream reset
     which discards all stream state and incoming data.  [Stefan Eissing]

  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
     mod_ssl: Fix infinite loop triggered by a client-initiated
     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
     later.  PR 63052.  [Joe Orton]

For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.38

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-01-22 22:14:22 +01:00
Ryan Coe
9a889534cb package/apache: enable optional support for nghttp2
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-30 16:38:11 +01:00
Bernd Kuhls
5f832bb812 package/apache: bump version to 2.4.37
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.37
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-10-24 01:18:48 +02:00
Bernd Kuhls
ac22fafdc8 package/apache: security bump to version 2.4.35
Fixes: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E

Release notes:
https://lists.apache.org/thread.html/5d604774652fc073b1b161584d0d1efbdba7898c40ae2e2334725e5f@%3Cannounce.httpd.apache.org%3E

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-09-30 10:37:08 +02:00
Bernd Kuhls
8ef1aaa084 package/apache: bump version to 2.4.34
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.34

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-17 00:34:33 +02:00
Fabrice Fontaine
2ce4028d5f apache: add systemd init script
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-23 09:51:59 +02:00
Fabrice Fontaine
876917689b apache: add reload target to sysv init script
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-22 19:10:10 +02:00
Fabrice Fontaine
fe03f5231f apache: add init sysv script
sysv init script is just a wrapper to apachectl

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-21 21:40:58 +02:00
Bernd Kuhls
6087e54800 package/apache: fix lua detection
Patch suggested by Thomas: Adding a path to --with-lua disables
pkgconf-based detection of lua, which in some cases needs libdl.

This patch removes --with-lua which fixes
http://autobuild.buildroot.net/results/cc1/cc13f4cef9cf6f18615d58f1d83b233812f19fa0/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-04-01 16:22:25 +02:00
Bernd Kuhls
be796657cb package/apache: add optional support for lua
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-03-31 20:17:09 +02:00
Bernd Kuhls
65193bf3c9 package/apache: security bump to version 2.4.33
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.33

Fixes CVE-2017-15710, CVE-2018-1283, CVE-2018-1303, CVE-2018-1301,
CVE-2017-15715, CVE-2018-1312, CVE-2018-1302.

Added license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-24 11:53:48 +01:00
Bernd Kuhls
386ca343c5 package/apache: bump version to 2.4.29
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.29

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-24 08:00:12 +02:00
Bernd Kuhls
1cff68251e package/apache: bump to version 2.4.28
Fix for CVE-2017-9798 is included in this release, so this patch is
removed.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Update commit log: not a security bump]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-10-06 18:41:57 +02:00
Bernd Kuhls
6d24caf0cd package/apache: add patch to fix CVE-2017-9798
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-09-19 21:44:28 +02:00
Bernd Kuhls
cf9b7cedac package/apache: bump version to 2.4.27
Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html
Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-11 21:31:17 +02:00
Peter Korsgaard
e8a15fd693 apache: security bump to version 2.4.26
Fixes the following security issues:

CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being bypassed.

CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

CVE-2017-7659: A maliciously constructed HTTP/2 request could cause
mod_http2 to dereference a NULL pointer and crash the server process.

CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32
and 2.4.24 introduced a bug in token list parsing, which allows
ap_find_token() to search past the end of its input string.  By maliciously
crafting a sequence of request headers, an attacker may be able to cause a
segmentation fault, or to force ap_find_token() to return an incorrect
value.

CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
mod_mime can read one byte past the end of a buffer when sending a malicious
Content-Type response header.

While we're at it, use the upstream sha256 checksum instead of sha1.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-20 23:24:33 +02:00
Adam Duskett
0896e3ed64 package/a*/Config.in: fix help text wrapping
The check-package script when ran gives warnings on text wrapping on all
of these Config files. This patch cleans up all warnings related to the
text wrapping for the Config files starting with the letter a in the
package directory.

The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-05-11 23:25:00 +02:00
Adam Duskett
7b493e411f package/a*/Config.in: fix ordering of statements
The check-package script when ran gives warnings on ordering issues
on all of these Config files.  This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter a in the package directory.

The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-29 17:17:02 +02:00
Bernd Kuhls
68af1dc257 package/apache: security bump version to 2.4.25
Changelog:
http://www.apache.org/dist/httpd/CHANGES_2.4.25

Fixes CVE-2016-8740, CVE-2016-5387, CVE-2016-2161, CVE-2016-0736,
CVE-2016-8743.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-22 10:01:22 +01:00
Fabrice Fontaine
bc5584fc90 apache: add customization of MPM
MPM can be selected between event, prefork or worker
Set worker as the default one as it was before even if event MPM is
better on system supporting thread safe polling

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-09-12 23:13:44 +02:00
Bernd Kuhls
d72868f158 package/apache: security bump to version 2.4.23
Fixes CVE-2016-4979:
TLS/SSL X.509 client certificate auth bypass with HTTP/2
http://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-07 11:48:49 +02:00
Gustavo Zacarias
07e4772115 apache: bump to version 2.4.20
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-13 21:36:43 +02:00