Mail archive
alpine-aports

Re: [alpine-aports] [PATCH v3.1] main/lighttpd: security upgrade to 1.4.36 - fixes #4331

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Tue, 13 Dec 2016 08:52:51 +0000

Hi Seamus Caveney!

In this case package is prepared for Alpine Linux v3.1 stable release (the
oldest release where we still trying to fix security issues
http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases). In general, for
stable releases we are trying to avoid major upgrades with big changes and
trying to fix security bugs with minor upgrades (without vital changes) or
with fix-patches. In Alpine Edge we upgrade everything to latest version.

lighttpd 1.4.37 release notes say: "The internal API changed again, so
please be careful with 3rd party plugins." (
https://www.lighttpd.net/2015/8/30/1.4.37/)

Actually, it is good that you have asked this question. I was not accurate
enough to notice that lighttpd 1.4.36 already contains vital changes.
1.4.36 release notes say: "changes to the internal API for buffers, chunks
and more; 3rd party plugins are likely to break" (
https://www.lighttpd.net/2015/7/26/1.4.36/) So, I started to think that we
should avoid upgrading lighttpd to newer version and fix CVE-2015-3200
issue with patch.

On other hand, you are absolutely right, since 1.4.35 lots of bugs were
fixed in later version. Maybe I can ask Natanael Copa what would be the
preferable way to go.

Thank you for your feedback.

Sergey Lukin

пн, 12 дек. 2016 г. в 17:52, Seamus Caveney <scv_at_brinstar.org>:

On 2016-12-12 09:26, Sergey Lukin wrote:
> CVE-2015-3200
> ---
> main/lighttpd/APKBUILD | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
> index b81ad2f..1c9c351 100644
> --- a/main/lighttpd/APKBUILD
> +++ b/main/lighttpd/APKBUILD
> _at__at_ -1,8 +1,8 @@
> # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
> pkgname=lighttpd
> -pkgver=1.4.35
> +pkgver=1.4.36
> _streamver=2.2.0
> -pkgrel=2
> +pkgrel=0
> pkgdesc="a secure, fast, compliant and very flexible web-server"
> url="http://www.lighttpd.net/"
> arch="all"
> _at__at_ -13,7 +13,7 @@ pkgusers="lighttpd"
> pkggroups="lighttpd"
> makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev
pkgconfig
> automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
> -source="
http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
> +source="
http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz
>
http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
>
> $pkgname.initd
> _at__at_ -132,7 +132,7 @@ mod_webdav() {
> }
>
>
> -md5sums="f7a88130ee9984b421ad8aa80629750a lighttpd-1.4.35.tar.bz2
> +md5sums="e439c18bcd90b1175fd118b9f2be4568 lighttpd-1.4.36.tar.gz
> ac37885c881a058194405232e7737a7a
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
> aa1f130f66607615143b2b497c55b177 lighttpd.initd
> 0dede109282bfe685bdec6b35f0e4b6b lighttpd.confd
> _at__at_ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986 mime-types.conf
> 9c1407e95f62ed22da66c4ef5f69c3b5 mod_cgi.conf
> f3363e39832f1b6678468b482d121afb mod_fastcgi.conf
> aee5947a1abf380b0685a534ca384b42 mod_fastcgi_fpm.conf"
>
-sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7
lighttpd-1.4.35.tar.bz2
>
+sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b
lighttpd-1.4.36.tar.gz
> 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
> 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16
lighttpd.initd
> 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87
lighttpd.confd
> _at__at_ -152,7 +152,7 @@
sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7
li
> 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf
mod_cgi.conf
> d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e
mod_fastcgi.conf
> e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043
mod_fastcgi_fpm.conf"
>
-sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9
lighttpd-1.4.35.tar.bz2
>
+sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359
lighttpd-1.4.36.tar.gz
>
12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>
3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61
lighttpd.initd
>
93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b
lighttpd.confd
>

Any particular reason you chose to only upgrade a single version? The
latest release is 1.4.43 as of 2016-10-31.

Significant changes since 1.4.36:
- 1.4.37 has regression fixes against 1.4.36 from this APKBUILD
- 1.4.38
   - Several bugfixes relating to core functionality
   - Potential breakage with mod_secdownload requiring new config option
- 1.4.39 has small regression fixes
- 1.4.40 is a major update with literally hundreds of resolved issues
- 1.4.41
   - Four security fixes, one relating to dropping group privileges
   - Potential breakage, long-deprecated config options removed and will
     now cause error instead of warning
- 1.4.42 has lots of bug xies
- 1.4.43 (latest) also has many bug fixes, including building against
     OpenSSL 1.1.0+



---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Tue Dec 13 2016 - 08:52:51 GMT