| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Fixes
QA Issue: File /usr/libexec/apache2/build/config.nice in package apache2-dev contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This vulnerability is for Apache-AuthenSmb module.
Fixed in 0.9, current version is 0.72.
In any case, not part of Apache2 sources.
[1] points to [2], which is archived under [3]
[1] https://nvd.nist.gov/vuln/detail/CVE-1999-1237
[2] http://www.securityfocus.com/archive/1/14384
[3] https://web.archive.org/web/20020618143426/http://online.securityfocus.com/archive/1/14384
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CVE is officially disputed by Redhat with official statement in
https://nvd.nist.gov/vuln/detail/CVE-2007-0086
Red Hat does not consider this issue to be a security vulnerability.
The pottential attacker has to send acknowledgement packets periodically
to make server generate traffic. Exactly the same effect could be
achieved by simply downloading the file. The statement that setting the
TCP window size to arbitrarily high value would permit the attacker to
disconnect and stop sending ACKs is false, because Red Hat Enterprise
Linux limits the size of the TCP send buffer to 4MB by default.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
These were not updated on recipe upgrade.
To make maintenance easier, remove exact versions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
These CVEs are specific to Debian and MAC OS X respectively.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit modifies the PACKAGECONFIG entry for zlib to ensure that the
mod_deflate module is enabled with the appropriate zlib configuration.
By adding the --with-zlib=${STAGING_LIBDIR}/../ option, we direct the
configure script to use the zlib library from the staging directory
instead of relying on the host system's zlib installation.
Without that configure will search the host for zlib headers and lib.
This change resolves build failures related to zlib dependency when
mod_deflate is enabled and ensures a consistent build environment across
different host configurations.
Signed-off-by: Valeria Petrov <valeria.petrov@spinetix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Busybox can optionally provide an httpd server, but by default The Yocto
Project defconfig for busybox does not enable it. If it is enabled,
busybox puts the resulting /usr/sbin/httpd object under the control of
update-alternatives.
apache2, on the other hand, does not put /usr/sbin/httpd under the control
of update-alternatives. Therefore, in the off chance a user enables the
busybox httpd server, it does not play well with apache2.
Add update-alternatives information to apache2 so that it plays nicely with
busybox which can optionally provide an httpd server at /usr/sbin/httpd.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Security fixes:
CVE-2024-39884 Apache HTTP Server: source code disclosure with handlers configured via AddType
Changelog:
https://github.com/apache/httpd/blob/2.4.61/CHANGES
https://httpd.apache.org/security/vulnerabilities_24.html
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Alba Herrerías <alba@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Update CVE status for: CVE-1999-0289, CVE-2007-0450, CVE-2010-0425
The current version (2.4.6) is not affected. It only applies for Windows.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite
Other Changes between 2.4.59 -> 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Update status for:
CVE-2007-6421, CVE-2007-6422, CVE-2007-6423, CVE-2008-2168
CPE is incorrect, the current version (2.4.59) is not affected.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are file conflicts of apache2 when multilib enabled:
Error: Transaction test error:
file /usr/share/apache2/build/config.nice conflicts between attempted
installs of apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp
file /usr/share/apache2/build/config_vars.mk conflicts between
attempted installs of apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp
Install the 'build' directory to ${libexecdir} by setting
'installbuilddir' to fix the conflicts. ${libexecdir} is not populated
to sysroot by default, but command apxs requires these files, then add
the dir to SYSROOT_DIRS to populate them.
And inherit bbclasses multilib_script and multilib_header to fix
follow-up conflicts:
file /usr/bin/apxs conflicts between attempted installs of
apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp
file /usr/include/apache2/ap_config_layout.h conflicts between
attempted installs of apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp
Since multilib_script inherits update-alternatives, remove it from
inherit line for beautification.
Fix buildpaths warning as well:
WARNING: lib32-apache2-2.4.58-r0 do_package_qa: QA Issue: File /usr/share/apache2/build/config.nice
in package lib32-apache2-dev contains reference to TMPDIR [buildpaths]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
currently this is chosen depending on machine at do_configure
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Note that patch 0011-modules... is no longer needed as it's included in
the upgrade as well.
CVE: CVE-2023-43622
Signed-off-by: Dylan Turner <dylan.turner@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This recipe sets the product name used for CVE checking to
"http_server". However, the cve-check logic matches that name to all
products in the CVE database regardless of vendor. Currently, it is
matching to products from vendors other than apache. As a result,
CVE checking incorrectly reports CVEs for those vendors' products for
this package.
Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python3-pybluez, python3-pynetlinux, apache2: Fix Malformed Upstream-Status
* Accepted was replaced with Backport in gatesgarth:
https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes
* as detected with oe-core/scripts/contrib/patchreview.py:
meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/gnome-tweaks/-/commit/dc9701e18775c01d0b69fabaa350147f70096da8]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]
New patch:
0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
Accepted in upstream, expected to be removed at next apache2 2.4.58 update.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
- rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated.
- mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
- mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers.
- mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer.
- MDChallengeDns01 can now be configured for individual domains.
- Fixed a bug that caused the challenge
teardown not being invoked as it should.
- mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
- mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
systemd-tmpfiles[181]: /etc/tmpfiles.d/apache2-volatile.conf:1:
Line references path below legacy directory /var/run/, updating /var/run/apache2 -> /run/apache2;
please update the tmpfiles.d/ drop-in file accordingly.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.55
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: apache2-2.4.54-r0 do_package_qa: QA Issue: File /usr/src/debug/apache2/2.4.54-r0/build/server/exports.c in package apache2-src contains reference to TMPDIR [buildpaths]
Before the patch:
# cat ./build/server/exports.c
[snip]
#include "mpm_fdqueue.h"
const void *ap_ugly_hack = NULL;
/*
* /buildarea/build/tmp-glibc/work/core2-32-wrs-linux/apache2/2.4.54-r0/httpd-2.4.54/include/ap_expr.h
*/
const void *ap_hack_ap_expr_exec = (const void *)ap_expr_exec;
[snip]
After the patch:
# cat ./build/server/exports.c
[snip]
#include "mpm_fdqueue.h"
const void *ap_ugly_hack = NULL;
/*
* ap_expr.h
*/
const void *ap_hack_ap_expr_exec = (const void *)ap_expr_exec;
[snip]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Split out apache2-utils so this small package could be used by
other packages. For example, htpasswd could be used by docker-registry.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
0004-apache2-log-the-SELinux-context-at-startup.patch
refresh for new version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.54
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://downloads.apache.org/httpd/CHANGES_2.4.53
Security fixes:
CVE-2022-23943
CVE-2022-22721
CVE-2022-22720
CVE-2022-22719
Refresh patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
specified openssl path.
*) mod_proxy_connect, mod_proxy: Do not change the status code after we
already sent it to the client.
*) mod_http: Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request. PR 65725
*) mod_dav: Some DAV extensions, like CalDAV, specify both document
elements and property elements that need to be taken into account
when generating a property. The document element and property element
are made available in the dav_liveprop_elem structure by calling
dav_get_liveprop_element().
*) mod_dav: Add utility functions dav_validate_root_ns(),
dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
dav_find_attr() so that other modules get to play too.
*) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
*) mod_http2: fixes 2 regressions in server limit handling.
1. When reaching server limits, such as MaxRequestsPerChild, the
HTTP/2 connection send a GOAWAY frame much too early on new
connections, leading to invalid protocol state and a client
failing the request. See PR65731.
The module now initializes the HTTP/2 protocol correctly and
allows the client to submit one request before the shutdown
via a GOAWAY frame is being announced.
2. A regression in v1.15.24 was fixed that could lead to httpd
child processes not being terminated on a graceful reload or
when reaching MaxConnectionsPerChild. When unprocessed h2
requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
*) mod_ssl: Add build support for OpenSSL v3.
*) mod_proxy_connect: Honor the smallest of the backend or client timeout
while tunneling.
*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
half-close forwarding when tunneling protocols.
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
a third-party module. PR 65627.
*) mod_md: Fix memory leak in case of failures to load the private key.
PR 65620
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
PR 65616.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: Apache.org
MR: 113457, 113453
Type: Security Fix
Disposition: Backport from apache.org 2.4.51
ChangeID: 9d7b58f49487baff99bf8f101e53217425a2b81f
Description:
Bug fix only update. LTS version
https://httpd.apache.org/security/vulnerabilities_24.html
Fixes CVEs:
CVE-2021-42013
CVE-2021-41524
CVE-2021-41773
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes with Apache 2.4.49
*) SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
*) SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
*) SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
*) SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request
*) SECURITY: CVE-2021-33193 (cve.mitre.org)
mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
*) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
*) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
*) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
*) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
*) mod_md:
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
[Stefan Eissing]
*) Add CPING to health check logic. [Jean-Frederic Clere]
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
*) htcacheclean: Improve help messages. [Christophe Jaillet]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Filter out -ffile-prefix-map as well along with other -f*-prefix-map
options
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Minor upgrade inluding bug and CVE fixes, namely:
- CVE-2020-9490
- CVE-2020-11984
- CVE-2020-11993
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The commit e789c3837ca8d65abb4bac29dc2e5c595c8ce05b tries to create
log/run directory in initscript/systemd unit file. This is not a correct
method. We should create them in pkg_postinst.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reproduce steps:
1. boot up target
2. scp apache2-2.4.41-r0.1.aarch64.rpm on target
3. rpm -i apache2-2.4.41-r0.1.aarch64.rpm
4. systemctl status apache2
Error:
httpd[7767]: (2)No such file or directory: AH02291: Cannot access directory '/var/log/apache2/' for main error log
with the old way, /var/log/apache2/ is created by service
systemd-tmpfiles-setup during boot, so only works when apache2
already installed before boot, in above scenario,
/var/log/apache2/ will not created. fix by creating it in the
service file. similar fix for sysV system
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
apache2 added cross-compilation support after 2.4.41, but
this conflicts with our own cross-compilation setup and causes
related recipes like apache-websocket to fail to find config
files (due to incorrect file paths) during build:
| cannot open
/ala-lpggp31/tgamblin/yocto/poky.git/build/tmp/work/core2-64-poky-linux/apache-websocket/0.1.1+gitAUTOINC+6968083264-r0/recipe-sysroot/ala-lpggp31/tgamblin/yocto/poky.git/build/tmp/work/core2-64-poky-linux/apache-websocket/0.1.1+gitAUTOINC+6968083264-r0/recipe-sysroot//usr/share/apache2/build/config_vars.mk:
No such file or directory at
/ala-lpggp31/tgamblin/yocto/poky.git/build/tmp/work/core2-64-poky-linux/apache-websocket/0.1.1+gitAUTOINC+6968083264-r0/recipe-sysroot/usr/bin/crossscripts/apxs
line 213.
Add this patch to ensure that the $destdir
variable used in apache2's cross-compilation scheme is always
the empty string so that apache-websocket can find the right
files.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LICENSE file was updated due to a typo fix.
Note that this upgrade fixes two CVES affecting versions
2.4.41 and earlier:
CVE: CVE-2020-1927
CVE: CVE-2020-1934
See:
https://nvd.nist.gov/vuln/detail/CVE-2020-1927
https://nvd.nist.gov/vuln/detail/CVE-2020-1934
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are errors of apache2 about files conflicts when multilib enabled:
| Error: Transaction check error:
| file /etc/apache2/extra/httpd-ssl.conf conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
| file /etc/apache2/httpd.conf conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
| file /usr/sbin/envvars conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
| file /usr/sbin/envvars-std conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
It makes libexecdir point to ${libdir}. Reset to ${libexecdir} which could
eliminate file conflicts of the conf files. And remove /usr/sbin/envvars and
/usr/sbin/envvars-std which only used by apachectl. They only add standard
library path ${libdir} to LD_LIBRARY_PATH, so remove them to avoid multilib
file conflicts.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fixes:
CVE-2019-10081
CVE-2019-9517
CVE-2019-10098
CVE-2019-10092
CVE-2019-10097
CVE-2019-10082
See: http://www.apache.org/dist/httpd/CHANGES_2.4.41
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add back this patch. Without this patch, apxs's shebang will use
perl under hosttools, which can be too long for shebang, and cause
error:
bad interpreter: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
The build related files (${datadir}/${BPN}/build and ${bindir}/apxs)
belong in the -dev package, and the manual belong in the -doc package.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
A missing space lead to problems if something else was already added to
SYSROOT_PREPROCESS_FUNCS.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop apache2-native recipe.
Add native to BBCLASSEXTEND in apache2 recipe.
* Refresh patches.
Drop CVE-2018-11763.patch and apache-configure_perlbin.patch
* Cleanup recipe file. Remove obsolete code.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
