X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-01.sfd.asgdc.net (mail-01.sfd.asgdc.net [162.217.178.244]) by lists.alpinelinux.org (Postfix) with ESMTP id 601875C4595 for ; Mon, 12 Dec 2016 15:52:30 +0000 (GMT) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail-01.sfd.asgdc.net (Postfix) with ESMTP id EE2D580E2F; Mon, 12 Dec 2016 10:52:29 -0500 (EST) Received: from mail-01.sfd.asgdc.net ([127.0.0.1]) by localhost (mail-01.sfd.asgdc.net [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id XT9xDNyb6ZIV; Mon, 12 Dec 2016 10:52:21 -0500 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail-01.sfd.asgdc.net (Postfix) with ESMTP id 9360980E53; Mon, 12 Dec 2016 10:52:21 -0500 (EST) X-Virus-Scanned: amavisd-new at mail-01.sfd.asgdc.net Received: from mail-01.sfd.asgdc.net ([127.0.0.1]) by localhost (mail-01.sfd.asgdc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0Jv23IYlBKrC; Mon, 12 Dec 2016 10:52:21 -0500 (EST) Received: from [10.1.60.105] (124-71-254-162.static.drbrmi-1.us.as62588.net [162.254.71.124]) by mail-01.sfd.asgdc.net (Postfix) with ESMTPSA id 65F1B80E2F; Mon, 12 Dec 2016 10:52:21 -0500 (EST) Subject: Re: [alpine-aports] [PATCH v3.1] main/lighttpd: security upgrade to 1.4.36 - fixes #4331 To: Sergey Lukin , alpine-aports@lists.alpinelinux.org References: <1481552810-8755-1-git-send-email-sergej.lukin@gmail.com> From: Seamus Caveney Message-ID: <4534ecdd-2631-4dd5-bb61-839cb86a398e@brinstar.org> Date: Mon, 12 Dec 2016 10:52:20 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 In-Reply-To: <1481552810-8755-1-git-send-email-sergej.lukin@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 2016-12-12 09:26, Sergey Lukin wrote: > CVE-2015-3200 > --- > main/lighttpd/APKBUILD | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD > index b81ad2f..1c9c351 100644 > --- a/main/lighttpd/APKBUILD > +++ b/main/lighttpd/APKBUILD > @@ -1,8 +1,8 @@ > # Maintainer: Natanael Copa > pkgname=lighttpd > -pkgver=1.4.35 > +pkgver=1.4.36 > _streamver=2.2.0 > -pkgrel=2 > +pkgrel=0 > pkgdesc="a secure, fast, compliant and very flexible web-server" > url="http://www.lighttpd.net/" > arch="all" > @@ -13,7 +13,7 @@ pkgusers="lighttpd" > pkggroups="lighttpd" > makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig > automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev" > -source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2 > +source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz > http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz > > $pkgname.initd > @@ -132,7 +132,7 @@ mod_webdav() { > } > > > -md5sums="f7a88130ee9984b421ad8aa80629750a lighttpd-1.4.35.tar.bz2 > +md5sums="e439c18bcd90b1175fd118b9f2be4568 lighttpd-1.4.36.tar.gz > ac37885c881a058194405232e7737a7a lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz > aa1f130f66607615143b2b497c55b177 lighttpd.initd > 0dede109282bfe685bdec6b35f0e4b6b lighttpd.confd > @@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986 mime-types.conf > 9c1407e95f62ed22da66c4ef5f69c3b5 mod_cgi.conf > f3363e39832f1b6678468b482d121afb mod_fastcgi.conf > aee5947a1abf380b0685a534ca384b42 mod_fastcgi_fpm.conf" > -sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7 lighttpd-1.4.35.tar.bz2 > +sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b lighttpd-1.4.36.tar.gz > 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz > 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16 lighttpd.initd > 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87 lighttpd.confd > @@ -152,7 +152,7 @@ sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7 li > 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf mod_cgi.conf > d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e mod_fastcgi.conf > e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043 mod_fastcgi_fpm.conf" > -sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9 lighttpd-1.4.35.tar.bz2 > +sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359 lighttpd-1.4.36.tar.gz > 12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz > 3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61 lighttpd.initd > 93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b lighttpd.confd > Any particular reason you chose to only upgrade a single version? The latest release is 1.4.43 as of 2016-10-31. Significant changes since 1.4.36: - 1.4.37 has regression fixes against 1.4.36 from this APKBUILD - 1.4.38 - Several bugfixes relating to core functionality - Potential breakage with mod_secdownload requiring new config option - 1.4.39 has small regression fixes - 1.4.40 is a major update with literally hundreds of resolved issues - 1.4.41 - Four security fixes, one relating to dropping group privileges - Potential breakage, long-deprecated config options removed and will now cause error instead of warning - 1.4.42 has lots of bug xies - 1.4.43 (latest) also has many bug fixes, including building against OpenSSL 1.1.0+ --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---