~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
2 2

[alpine-aports] [PATCH v3.1] main/lighttpd: security upgrade to 1.4.36 - fixes #4331

Details
Message ID
<1481552810-8755-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1481552810
DKIM signature
missing
Download raw message
Patch: +6 -6
CVE-2015-3200
---
 main/lighttpd/APKBUILD | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
index b81ad2f..1c9c351 100644
--- a/main/lighttpd/APKBUILD
+++ b/main/lighttpd/APKBUILD
@@ -1,8 +1,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=lighttpd
pkgver=1.4.35
pkgver=1.4.36
_streamver=2.2.0
pkgrel=2
pkgrel=0
pkgdesc="a secure, fast, compliant and very flexible web-server"
url="http://www.lighttpd.net/"
arch="all"
@@ -13,7 +13,7 @@ pkgusers="lighttpd"
pkggroups="lighttpd"
makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig
	automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz
	http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz

	$pkgname.initd
@@ -132,7 +132,7 @@ mod_webdav() {
}


md5sums="f7a88130ee9984b421ad8aa80629750a  lighttpd-1.4.35.tar.bz2
md5sums="e439c18bcd90b1175fd118b9f2be4568  lighttpd-1.4.36.tar.gz
ac37885c881a058194405232e7737a7a  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
aa1f130f66607615143b2b497c55b177  lighttpd.initd
0dede109282bfe685bdec6b35f0e4b6b  lighttpd.confd
@@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986  mime-types.conf
9c1407e95f62ed22da66c4ef5f69c3b5  mod_cgi.conf
f3363e39832f1b6678468b482d121afb  mod_fastcgi.conf
aee5947a1abf380b0685a534ca384b42  mod_fastcgi_fpm.conf"
sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7  lighttpd-1.4.35.tar.bz2
sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b  lighttpd-1.4.36.tar.gz
732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16  lighttpd.initd
94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87  lighttpd.confd
@@ -152,7 +152,7 @@ sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7  li
322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf  mod_cgi.conf
d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e  mod_fastcgi.conf
e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043  mod_fastcgi_fpm.conf"
sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9  lighttpd-1.4.35.tar.bz2
sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359  lighttpd-1.4.36.tar.gz
12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61  lighttpd.initd
93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b  lighttpd.confd
-- 
2.2.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Seamus Caveney <scv@brinstar.org>
Details
Message ID
<4534ecdd-2631-4dd5-bb61-839cb86a398e@brinstar.org>
In-Reply-To
<1481552810-8755-1-git-send-email-sergej.lukin@gmail.com> (view parent)
Sender timestamp
1481557940
DKIM signature
missing
Download raw message
On 2016-12-12 09:26, Sergey Lukin wrote:
> CVE-2015-3200
> ---
>  main/lighttpd/APKBUILD | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
> index b81ad2f..1c9c351 100644
> --- a/main/lighttpd/APKBUILD
> +++ b/main/lighttpd/APKBUILD
> @@ -1,8 +1,8 @@
>  # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
>  pkgname=lighttpd
> -pkgver=1.4.35
> +pkgver=1.4.36
>  _streamver=2.2.0
> -pkgrel=2
> +pkgrel=0
>  pkgdesc="a secure, fast, compliant and very flexible web-server"
>  url="http://www.lighttpd.net/"
>  arch="all"
> @@ -13,7 +13,7 @@ pkgusers="lighttpd"
>  pkggroups="lighttpd"
>  makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig
>  	automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
> -source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
> +source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz
>  	http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
>
>  	$pkgname.initd
> @@ -132,7 +132,7 @@ mod_webdav() {
>  }
>
>
> -md5sums="f7a88130ee9984b421ad8aa80629750a  lighttpd-1.4.35.tar.bz2
> +md5sums="e439c18bcd90b1175fd118b9f2be4568  lighttpd-1.4.36.tar.gz
>  ac37885c881a058194405232e7737a7a  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>  aa1f130f66607615143b2b497c55b177  lighttpd.initd
>  0dede109282bfe685bdec6b35f0e4b6b  lighttpd.confd
> @@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986  mime-types.conf
>  9c1407e95f62ed22da66c4ef5f69c3b5  mod_cgi.conf
>  f3363e39832f1b6678468b482d121afb  mod_fastcgi.conf
>  aee5947a1abf380b0685a534ca384b42  mod_fastcgi_fpm.conf"
> -sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7  lighttpd-1.4.35.tar.bz2
> +sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b  lighttpd-1.4.36.tar.gz
>  732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>  14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16  lighttpd.initd
>  94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87  lighttpd.confd
> @@ -152,7 +152,7 @@ sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7  li
>  322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf  mod_cgi.conf
>  d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e  mod_fastcgi.conf
>  e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043  mod_fastcgi_fpm.conf"
> -sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9  lighttpd-1.4.35.tar.bz2
> +sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359  lighttpd-1.4.36.tar.gz
>  12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>  3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61  lighttpd.initd
>  93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b  lighttpd.confd
>

Any particular reason you chose to only upgrade a single version? The 
latest release is 1.4.43 as of 2016-10-31.

Significant changes since 1.4.36:
- 1.4.37 has regression fixes against 1.4.36 from this APKBUILD
- 1.4.38
   - Several bugfixes relating to core functionality
   - Potential breakage with mod_secdownload requiring new config option
- 1.4.39 has small regression fixes
- 1.4.40 is a major update with literally hundreds of resolved issues
- 1.4.41
   - Four security fixes, one relating to dropping group privileges
   - Potential breakage, long-deprecated config options removed and will
     now cause error instead of warning
- 1.4.42 has lots of bug xies
- 1.4.43 (latest) also has many bug fixes, including building against
     OpenSSL 1.1.0+


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Details
Message ID
<CAEqeVnM1DcUbWyrtpCRDd2DCEtycEs0c3eqBPc9c64HGR9A=7w@mail.gmail.com>
In-Reply-To
<4534ecdd-2631-4dd5-bb61-839cb86a398e@brinstar.org> (view parent)
Sender timestamp
1481619171
DKIM signature
missing
Download raw message
Hi Seamus Caveney!

In this case package is prepared for Alpine Linux v3.1 stable release (the
oldest release where we still trying to fix security issues
http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases). In general, for
stable releases we are trying to avoid major upgrades with big changes and
trying to fix security bugs with minor upgrades (without vital changes) or
with fix-patches. In Alpine Edge we upgrade everything to latest version.

lighttpd 1.4.37  release notes say: "The internal API changed again, so
please be careful with 3rd party plugins." (
https://www.lighttpd.net/2015/8/30/1.4.37/)

Actually, it is good that you have asked this question. I was not accurate
enough to notice that lighttpd 1.4.36 already contains vital changes.
1.4.36 release notes say: "changes to the internal API for buffers, chunks
and more; 3rd party plugins are likely to break" (
https://www.lighttpd.net/2015/7/26/1.4.36/) So, I started to think that we
should avoid upgrading lighttpd to newer version and fix CVE-2015-3200
issue with patch.

On other hand, you are absolutely right, since 1.4.35 lots of bugs were
fixed in later version. Maybe I can ask Natanael Copa what would be the
preferable way to go.

Thank you for your feedback.

Sergey Lukin

пн, 12 дек. 2016 г. в 17:52, Seamus Caveney <scv@brinstar.org>:

On 2016-12-12 09:26, Sergey Lukin wrote:
> CVE-2015-3200
> ---
>  main/lighttpd/APKBUILD | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
> index b81ad2f..1c9c351 100644
> --- a/main/lighttpd/APKBUILD
> +++ b/main/lighttpd/APKBUILD
> @@ -1,8 +1,8 @@
>  # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
>  pkgname=lighttpd
> -pkgver=1.4.35
> +pkgver=1.4.36
>  _streamver=2.2.0
> -pkgrel=2
> +pkgrel=0
>  pkgdesc="a secure, fast, compliant and very flexible web-server"
>  url="http://www.lighttpd.net/"
>  arch="all"
> @@ -13,7 +13,7 @@ pkgusers="lighttpd"
>  pkggroups="lighttpd"
>  makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev
pkgconfig
>       automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
> -source="
http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
> +source="
http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz
>
http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
>
>       $pkgname.initd
> @@ -132,7 +132,7 @@ mod_webdav() {
>  }
>
>
> -md5sums="f7a88130ee9984b421ad8aa80629750a  lighttpd-1.4.35.tar.bz2
> +md5sums="e439c18bcd90b1175fd118b9f2be4568  lighttpd-1.4.36.tar.gz
>  ac37885c881a058194405232e7737a7a
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>  aa1f130f66607615143b2b497c55b177  lighttpd.initd
>  0dede109282bfe685bdec6b35f0e4b6b  lighttpd.confd
> @@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986  mime-types.conf
>  9c1407e95f62ed22da66c4ef5f69c3b5  mod_cgi.conf
>  f3363e39832f1b6678468b482d121afb  mod_fastcgi.conf
>  aee5947a1abf380b0685a534ca384b42  mod_fastcgi_fpm.conf"
>
-sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7
lighttpd-1.4.35.tar.bz2
>
+sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b
lighttpd-1.4.36.tar.gz
>  732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>  14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16
lighttpd.initd
>  94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87
lighttpd.confd
> @@ -152,7 +152,7 @@
sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7
li
>  322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf
mod_cgi.conf
>  d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e
mod_fastcgi.conf
>  e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043
mod_fastcgi_fpm.conf"
>
-sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9
lighttpd-1.4.35.tar.bz2
>
+sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359
lighttpd-1.4.36.tar.gz
>
12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>
3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61
lighttpd.initd
>
93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b
lighttpd.confd
>

Any particular reason you chose to only upgrade a single version? The
latest release is 1.4.43 as of 2016-10-31.

Significant changes since 1.4.36:
- 1.4.37 has regression fixes against 1.4.36 from this APKBUILD
- 1.4.38
   - Several bugfixes relating to core functionality
   - Potential breakage with mod_secdownload requiring new config option
- 1.4.39 has small regression fixes
- 1.4.40 is a major update with literally hundreds of resolved issues
- 1.4.41
   - Four security fixes, one relating to dropping group privileges
   - Potential breakage, long-deprecated config options removed and will
     now cause error instead of warning
- 1.4.42 has lots of bug xies
- 1.4.43 (latest) also has many bug fixes, including building against
     OpenSSL 1.1.0+
Reply to thread Export thread (mbox)