Mail archive
alpine-aports

Re: [alpine-aports] [PATCH v3.1] main/lighttpd: security upgrade to 1.4.36 - fixes #4331

From: Seamus Caveney <scv_at_brinstar.org>
Date: Mon, 12 Dec 2016 10:52:20 -0500

On 2016-12-12 09:26, Sergey Lukin wrote:
> CVE-2015-3200
> ---
> main/lighttpd/APKBUILD | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
> index b81ad2f..1c9c351 100644
> --- a/main/lighttpd/APKBUILD
> +++ b/main/lighttpd/APKBUILD
> _at_@ -1,8 +1,8 @@
> # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
> pkgname=lighttpd
> -pkgver=1.4.35
> +pkgver=1.4.36
> _streamver=2.2.0
> -pkgrel=2
> +pkgrel=0
> pkgdesc="a secure, fast, compliant and very flexible web-server"
> url="http://www.lighttpd.net/"
> arch="all"
> _at_@ -13,7 +13,7 @@ pkgusers="lighttpd"
> pkggroups="lighttpd"
> makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig
> automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
> -source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
> +source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz
> http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
>
> $pkgname.initd
> _at_@ -132,7 +132,7 @@ mod_webdav() {
> }
>
>
> -md5sums="f7a88130ee9984b421ad8aa80629750a lighttpd-1.4.35.tar.bz2
> +md5sums="e439c18bcd90b1175fd118b9f2be4568 lighttpd-1.4.36.tar.gz
> ac37885c881a058194405232e7737a7a lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
> aa1f130f66607615143b2b497c55b177 lighttpd.initd
> 0dede109282bfe685bdec6b35f0e4b6b lighttpd.confd
> _at_@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986 mime-types.conf
> 9c1407e95f62ed22da66c4ef5f69c3b5 mod_cgi.conf
> f3363e39832f1b6678468b482d121afb mod_fastcgi.conf
> aee5947a1abf380b0685a534ca384b42 mod_fastcgi_fpm.conf"
> -sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7 lighttpd-1.4.35.tar.bz2
> +sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b lighttpd-1.4.36.tar.gz
> 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
> 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16 lighttpd.initd
> 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87 lighttpd.confd
> _at_@ -152,7 +152,7 @@ sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7 li
> 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf mod_cgi.conf
> d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e mod_fastcgi.conf
> e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043 mod_fastcgi_fpm.conf"
> -sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9 lighttpd-1.4.35.tar.bz2
> +sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359 lighttpd-1.4.36.tar.gz
> 12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
> 3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61 lighttpd.initd
> 93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b lighttpd.confd
>

Any particular reason you chose to only upgrade a single version? The
latest release is 1.4.43 as of 2016-10-31.

Significant changes since 1.4.36:
- 1.4.37 has regression fixes against 1.4.36 from this APKBUILD
- 1.4.38
   - Several bugfixes relating to core functionality
   - Potential breakage with mod_secdownload requiring new config option
- 1.4.39 has small regression fixes
- 1.4.40 is a major update with literally hundreds of resolved issues
- 1.4.41
   - Four security fixes, one relating to dropping group privileges
   - Potential breakage, long-deprecated config options removed and will
     now cause error instead of warning
- 1.4.42 has lots of bug xies
- 1.4.43 (latest) also has many bug fixes, including building against
     OpenSSL 1.1.0+


---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Dec 12 2016 - 10:52:20 GMT