Commit Graph

30 Commits

Author SHA1 Message Date
Bernd Kuhls
2b702f73df package/apache: security bump to version 2.4.41
Release notes:
http://www.apache.org/dist/httpd/Announcement2.4.html
http://www.apache.org/dist/httpd/CHANGES_2.4.41

Fixes
CVE-2019-10081
CVE-2019-9517
CVE-2019-10098
CVE-2019-10092
CVE-2019-10097
CVE-2019-10082

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-15 15:07:10 +02:00
Peter Korsgaard
556ad6c25b package/apache: security bump to version 2.4.39
Fixes the following security vulnerabilities:

  *) SECURITY: CVE-2019-0197 (cve.mitre.org)
     mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
     host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
     request from http/1.1 to http/2 that was not the first request on a
     connection could lead to a misconfiguration and crash. Servers that
     never enabled the h2 protocol or only enabled it for https: and
     did not set "H2Upgrade on" are unaffected by this issue.
     [Stefan Eissing]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0211 (cve.mitre.org)
     MPMs unix: Fix a local priviledge escalation vulnerability by not
     maintaining each child's listener bucket number in the scoreboard,
     preventing unprivileged code like scripts run by/on the server (e.g. via
     mod_php) from modifying it persistently to abuse the priviledged main
     process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0217 (cve.mitre.org)
     mod_auth_digest: Fix a race condition checking user credentials which
     could allow a user with valid credentials to impersonate another,
     under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

  *) SECURITY: CVE-2019-0215 (cve.mitre.org)
     mod_ssl: Fix access control bypass for per-location/per-dir client
     certificate verification in TLSv1.3.

  *) SECURITY: CVE-2019-0220 (cve.mitre.org)
     Merge consecutive slashes in URL's. Opt-out with
     `MergeSlashes OFF`. [Eric Covener]

For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-03 09:24:30 +02:00
Peter Korsgaard
7675863549 package/apache: security bump to version 2.4.38
Fixes the following security vulnerabilities:

  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
     mod_session: mod_session_cookie does not respect expiry time allowing
     sessions to be reused.  [Hank Ibell]

  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
     mod_http2: fixes a DoS attack vector. By sending slow request bodies
     to resources not consuming them, httpd cleanup code occupies a server
     thread unnecessarily. This was changed to an immediate stream reset
     which discards all stream state and incoming data.  [Stefan Eissing]

  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
     mod_ssl: Fix infinite loop triggered by a client-initiated
     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
     later.  PR 63052.  [Joe Orton]

For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.38

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-01-22 22:14:22 +01:00
Ryan Coe
9a889534cb package/apache: enable optional support for nghttp2
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-30 16:38:11 +01:00
Bernd Kuhls
5f832bb812 package/apache: bump version to 2.4.37
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.37
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-10-24 01:18:48 +02:00
Bernd Kuhls
ac22fafdc8 package/apache: security bump to version 2.4.35
Fixes: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E

Release notes:
https://lists.apache.org/thread.html/5d604774652fc073b1b161584d0d1efbdba7898c40ae2e2334725e5f@%3Cannounce.httpd.apache.org%3E

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-09-30 10:37:08 +02:00
Bernd Kuhls
8ef1aaa084 package/apache: bump version to 2.4.34
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.34

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-17 00:34:33 +02:00
Fabrice Fontaine
2ce4028d5f apache: add systemd init script
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-23 09:51:59 +02:00
Fabrice Fontaine
876917689b apache: add reload target to sysv init script
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-22 19:10:10 +02:00
Fabrice Fontaine
fe03f5231f apache: add init sysv script
sysv init script is just a wrapper to apachectl

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-21 21:40:58 +02:00
Bernd Kuhls
6087e54800 package/apache: fix lua detection
Patch suggested by Thomas: Adding a path to --with-lua disables
pkgconf-based detection of lua, which in some cases needs libdl.

This patch removes --with-lua which fixes
http://autobuild.buildroot.net/results/cc1/cc13f4cef9cf6f18615d58f1d83b233812f19fa0/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-04-01 16:22:25 +02:00
Bernd Kuhls
be796657cb package/apache: add optional support for lua
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-03-31 20:17:09 +02:00
Bernd Kuhls
65193bf3c9 package/apache: security bump to version 2.4.33
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.33

Fixes CVE-2017-15710, CVE-2018-1283, CVE-2018-1303, CVE-2018-1301,
CVE-2017-15715, CVE-2018-1312, CVE-2018-1302.

Added license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-24 11:53:48 +01:00
Bernd Kuhls
386ca343c5 package/apache: bump version to 2.4.29
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.29

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-24 08:00:12 +02:00
Bernd Kuhls
1cff68251e package/apache: bump to version 2.4.28
Fix for CVE-2017-9798 is included in this release, so this patch is
removed.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Update commit log: not a security bump]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-10-06 18:41:57 +02:00
Bernd Kuhls
6d24caf0cd package/apache: add patch to fix CVE-2017-9798
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-09-19 21:44:28 +02:00
Bernd Kuhls
cf9b7cedac package/apache: bump version to 2.4.27
Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html
Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-11 21:31:17 +02:00
Peter Korsgaard
e8a15fd693 apache: security bump to version 2.4.26
Fixes the following security issues:

CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being bypassed.

CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

CVE-2017-7659: A maliciously constructed HTTP/2 request could cause
mod_http2 to dereference a NULL pointer and crash the server process.

CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32
and 2.4.24 introduced a bug in token list parsing, which allows
ap_find_token() to search past the end of its input string.  By maliciously
crafting a sequence of request headers, an attacker may be able to cause a
segmentation fault, or to force ap_find_token() to return an incorrect
value.

CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26,
mod_mime can read one byte past the end of a buffer when sending a malicious
Content-Type response header.

While we're at it, use the upstream sha256 checksum instead of sha1.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-20 23:24:33 +02:00
Adam Duskett
0896e3ed64 package/a*/Config.in: fix help text wrapping
The check-package script when ran gives warnings on text wrapping on all
of these Config files. This patch cleans up all warnings related to the
text wrapping for the Config files starting with the letter a in the
package directory.

The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-05-11 23:25:00 +02:00
Adam Duskett
7b493e411f package/a*/Config.in: fix ordering of statements
The check-package script when ran gives warnings on ordering issues
on all of these Config files.  This patch cleans up all warnings
related to the ordering in the Config files for packages starting with
the letter a in the package directory.

The appropriate ordering is: type, default, depends on, select, help
See http://nightly.buildroot.org/#_config_files for more information.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-29 17:17:02 +02:00
Bernd Kuhls
68af1dc257 package/apache: security bump version to 2.4.25
Changelog:
http://www.apache.org/dist/httpd/CHANGES_2.4.25

Fixes CVE-2016-8740, CVE-2016-5387, CVE-2016-2161, CVE-2016-0736,
CVE-2016-8743.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-22 10:01:22 +01:00
Fabrice Fontaine
bc5584fc90 apache: add customization of MPM
MPM can be selected between event, prefork or worker
Set worker as the default one as it was before even if event MPM is
better on system supporting thread safe polling

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-09-12 23:13:44 +02:00
Bernd Kuhls
d72868f158 package/apache: security bump to version 2.4.23
Fixes CVE-2016-4979:
TLS/SSL X.509 client certificate auth bypass with HTTP/2
http://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-07 11:48:49 +02:00
Gustavo Zacarias
07e4772115 apache: bump to version 2.4.20
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-13 21:36:43 +02:00
Thomas Petazzoni
22e63d952e apache, apr: fix atomic handling
Since the apache package was introduced,
--enable-nonportable-atomics=yes was passed when
BR2_ARCH_HAS_ATOMICS. However, Apache doesn't take this option: it
only passes it down when building the APR library. But since we're
building APR separately, this statement had no effect.

So this commit removes the useless code from the Apache package, and
instead adds the appropriate logic to the apr package, using the new
BR2_TOOLCHAIN_HAS_SYNC_x symbols rather than BR2_ARCH_HAS_ATOMICS.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
2016-02-06 11:16:00 +01:00
Bernd Kuhls
4e2af5eac4 package/apache: bump version to 2.4.18
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-19 14:06:32 +01:00
Vicente Olivert Riera
b87447a50f apache: bump to version 2.4.17
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-10-14 22:29:12 +02:00
Bernd Kuhls
fd9abf873a package/apache: security bump to version 2.4.16
Fixes CVE-2015-3183, CVE-2015-3185, CVE-2015-0253, CVE-2015-0228
http://marc.info/?l=apache-httpd-announce&m=143704705330655&w=2

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-16 23:39:44 +02:00
Bernd Kuhls
6947697783 package/apache: fix nios2 detection
Apache treats nios2 as OS/2 which is wrong.

Fixes
http://autobuild.buildroot.net/results/27c/27c5848a344c7e16feefcbd3773b50a78d6e63f0/
http://autobuild.buildroot.net/results/d8c/d8cf103033c63e79ed2db0b600f120f6fcb5b5e9/
http://autobuild.buildroot.net/results/1de/1dec866cf9a5f731a9ed93dff5b8b98001863635/
http://autobuild.buildroot.net/results/776/776be8ef579e3444123d8183dca1062ece656436/
http://autobuild.buildroot.net/results/5d2/5d21ac2d8f008d984d6f8b359ebb0e2482545683/
http://autobuild.buildroot.net/results/87f/87f25b20f63eebf7f75e35064bad79e3d383e7a8/
http://autobuild.buildroot.net/results/1b7/1b75f52c70af7880d523185565b7aaf59d9f9b3e/

[Thomas: adjust patch so that it continues to match OS/2 properly,
while still not matching NIOS2.]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-03 15:32:11 +02:00
Bernd Kuhls
c0da6bcf85 apache: new package
[Thomas:
 - Don't explicitly pass CC_FOR_BUILD and CFLAGS_FOR_BUILD, those are
   already part of the default environment passed by the
   autotools-package infrastructure.
 - Explicitly disable Lua and LuaJIT support to avoid mis-detection of
   host installation.
 - Explicitly handle the optional support of libxml2, OpenSSL and
   zlib. Especially, the absence of explicit handling for libxml2 was
   causing a build failure due to the host libxml2 being detected.
 - Remove /usr/manual and /usr/build from the target. This saves 20+
   MB of target space.]

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-02-22 15:24:54 +01:00