X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-wm0-f49.google.com (mail-wm0-f49.google.com [74.125.82.49]) by lists.alpinelinux.org (Postfix) with ESMTP id 1C5015C45BA for ; Tue, 13 Dec 2016 12:10:12 +0000 (GMT) Received: by mail-wm0-f49.google.com with SMTP id t79so117072740wmt.0 for ; Tue, 13 Dec 2016 04:10:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=QV7ijD6DKDO30td8YcQn9hGutuPGvtGvrxc9Xz942R8=; b=tuhS8R7aauaY0ZxK1vIaleAbLxFu6kq+n2L6qF8p8Hg/LQiwOPedHy7Ooy8WkLxohz oGNXlu8oyc1BRGoVtjqB5NQ6ymYf2vdIaAJjNVjqNRx0t36cbg5zXfsZAmIrkLfks3+H Y7XWjcxc9gOoCW7AWVvx64QwC0yFBh+sR5y55J3aUFLWG2KZZxvW0ZkTfpMiBUBGy7Jz KtfQ0qgJuOSc3GCc9GmsjzmOwgXYRaRdeENO720sHUJq4jVE5yDN3v9Ef6XoCNwl62RL 1karU2iHCkcJ31sQ7EiKtNFoxVaqU1wx6lP2hmwiYQ5PsCGZ309YVia0ccYWfZUDPad8 pXyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=QV7ijD6DKDO30td8YcQn9hGutuPGvtGvrxc9Xz942R8=; b=M5tieOnn/Hj/QzEmYxMOeebMtNNto+8S/6bVMs2w9y2akoC3TRqW+bxMkSg2UhT5dH F/EoKRHuLYdI7iPeRC9Tvnjd8CKM287oZ4jC/zHgnWA0bGvJfPxwt9QPI58xjub+/cTD teKMM0Z0T1eGUvB+E1buSWLeX5XBNd3doEk6nOH3uHXvXzJmuONs1w1Njbaz8J6QJp+9 Sm5CBrxb1+QHfxZ6BinyyKXpDi+E5CViDJTYcUIkiSf2BA3FlrvuWrlzuoauuxiC2dFb pC0eoYso9KEXZ4SsRPnT3++Xg+7YnG+PMM7UBe4B+w1FzKWNtWcj7fVDDeQjK0uYHTJ8 W/GA== X-Gm-Message-State: AKaTC03kKpbHozBD3eTfDj4CzKptXniZv6mFyYduDdXTwJC07sDUPDYBldj9JhtFY+DlusdrKk7i2y5luUW+Bg== X-Received: by 10.25.221.213 with SMTP id w82mr28994404lfi.141.1481619182059; Tue, 13 Dec 2016 00:53:02 -0800 (PST) X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 References: <1481552810-8755-1-git-send-email-sergej.lukin@gmail.com> <4534ecdd-2631-4dd5-bb61-839cb86a398e@brinstar.org> In-Reply-To: <4534ecdd-2631-4dd5-bb61-839cb86a398e@brinstar.org> From: Sergey Lukin Date: Tue, 13 Dec 2016 08:52:51 +0000 Message-ID: Subject: Re: [alpine-aports] [PATCH v3.1] main/lighttpd: security upgrade to 1.4.36 - fixes #4331 To: Seamus Caveney , alpine-aports@lists.alpinelinux.org Content-Type: multipart/alternative; boundary=94eb2c0dbce20a049a05438659af --94eb2c0dbce20a049a05438659af Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Seamus Caveney! In this case package is prepared for Alpine Linux v3.1 stable release (the oldest release where we still trying to fix security issues http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases). In general, for stable releases we are trying to avoid major upgrades with big changes and trying to fix security bugs with minor upgrades (without vital changes) or with fix-patches. In Alpine Edge we upgrade everything to latest version. lighttpd 1.4.37 release notes say: "The internal API changed again, so please be careful with 3rd party plugins." ( https://www.lighttpd.net/2015/8/30/1.4.37/) Actually, it is good that you have asked this question. I was not accurate enough to notice that lighttpd 1.4.36 already contains vital changes. 1.4.36 release notes say: "changes to the internal API for buffers, chunks and more; 3rd party plugins are likely to break" ( https://www.lighttpd.net/2015/7/26/1.4.36/) So, I started to think that we should avoid upgrading lighttpd to newer version and fix CVE-2015-3200 issue with patch. On other hand, you are absolutely right, since 1.4.35 lots of bugs were fixed in later version. Maybe I can ask Natanael Copa what would be the preferable way to go. Thank you for your feedback. Sergey Lukin =D0=BF=D0=BD, 12 =D0=B4=D0=B5=D0=BA. 2016 =D0=B3. =D0=B2 17:52, Seamus Cave= ney : On 2016-12-12 09:26, Sergey Lukin wrote: > CVE-2015-3200 > --- > main/lighttpd/APKBUILD | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD > index b81ad2f..1c9c351 100644 > --- a/main/lighttpd/APKBUILD > +++ b/main/lighttpd/APKBUILD > @@ -1,8 +1,8 @@ > # Maintainer: Natanael Copa > pkgname=3Dlighttpd > -pkgver=3D1.4.35 > +pkgver=3D1.4.36 > _streamver=3D2.2.0 > -pkgrel=3D2 > +pkgrel=3D0 > pkgdesc=3D"a secure, fast, compliant and very flexible web-server" > url=3D"http://www.lighttpd.net/" > arch=3D"all" > @@ -13,7 +13,7 @@ pkgusers=3D"lighttpd" > pkggroups=3D"lighttpd" > makedepends=3D"flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig > automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev" > -source=3D" http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.b= z2 > +source=3D" http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.g= z > http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_str= eamver.tar.gz > > $pkgname.initd > @@ -132,7 +132,7 @@ mod_webdav() { > } > > > -md5sums=3D"f7a88130ee9984b421ad8aa80629750a lighttpd-1.4.35.tar.bz2 > +md5sums=3D"e439c18bcd90b1175fd118b9f2be4568 lighttpd-1.4.36.tar.gz > ac37885c881a058194405232e7737a7a lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz > aa1f130f66607615143b2b497c55b177 lighttpd.initd > 0dede109282bfe685bdec6b35f0e4b6b lighttpd.confd > @@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986 mime-types.conf > 9c1407e95f62ed22da66c4ef5f69c3b5 mod_cgi.conf > f3363e39832f1b6678468b482d121afb mod_fastcgi.conf > aee5947a1abf380b0685a534ca384b42 mod_fastcgi_fpm.conf" > -sha256sums=3D"4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c= 5bf7 lighttpd-1.4.35.tar.bz2 > +sha256sums=3D"8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1= 819b lighttpd-1.4.36.tar.gz > 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz > 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16 lighttpd.initd > 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87 lighttpd.confd > @@ -152,7 +152,7 @@ sha256sums=3D"4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5= bf7 li > 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf mod_cgi.conf > d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e mod_fastcgi.conf > e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043 mod_fastcgi_fpm.conf" > -sha512sums=3D"13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d= 7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9 lighttpd-1.4.35.tar.bz2 > +sha512sums=3D"ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537= ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359 lighttpd-1.4.36.tar.gz > 12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086a= c234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz > 3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e= 00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61 lighttpd.initd > 93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f0= 16b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b lighttpd.confd > Any particular reason you chose to only upgrade a single version? The latest release is 1.4.43 as of 2016-10-31. Significant changes since 1.4.36: - 1.4.37 has regression fixes against 1.4.36 from this APKBUILD - 1.4.38 - Several bugfixes relating to core functionality - Potential breakage with mod_secdownload requiring new config option - 1.4.39 has small regression fixes - 1.4.40 is a major update with literally hundreds of resolved issues - 1.4.41 - Four security fixes, one relating to dropping group privileges - Potential breakage, long-deprecated config options removed and will now cause error instead of warning - 1.4.42 has lots of bug xies - 1.4.43 (latest) also has many bug fixes, including building against OpenSSL 1.1.0+ --94eb2c0dbce20a049a05438659af Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi=C2=A0Seamus Caveney!

In this case package is prepa= red for Alpine Linux v3.1 stable release (the oldest release where we still= trying to fix security issues http://wiki.al= pinelinux.org/wiki/Alpine_Linux:Releases). In general, for stable relea= ses we are trying to avoid major upgrades with big changes and trying to fi= x security bugs with minor upgrades (without vital changes) or with fix-pat= ches. In Alpine Edge we upgrade everything to latest version.

lig= httpd 1.4.37=C2=A0=C2=A0release notes say= : "The internal API changed again, so please be careful with 3rd party= plugins." (https://www.lighttpd.net/2015/8/30/1.4.3= 7/)

Actually, it is good that you have asked this question. I= was not accurate enough to notice that lighttpd 1.4.36 already contains vi= tal changes. 1.4.36 release notes say: "changes to the internal API fo= r buffers, chunks and more; 3rd party plugins are likely to break" (https://www.lighttpd.net/2015/7/26/1.4.36/) So, I start= ed to think that we should avoid upgrading lighttpd to newer version and fi= x CVE-2015-3200 issue with patch.

On other hand, you are absolu= tely right, since 1.4.35 lots of bugs were fixed in later version. Maybe I = can ask Natanael Copa what would be the preferable way to go.

Thank you for your feed= back.

Serg= ey Lukin

=D0=BF=D0=BD, 12 =D0=B4=D0=B5=D0= =BA. 2016 =D0=B3. =D0=B2 17:52, Seamus Caveney <scv@brinstar.org>:=
On 2016-12-12 09:26, Sergey Lukin wrote:
> CVE-2015-3200
> ---
>=C2=A0 main/lighttpd/APKBUILD | 12 ++++++------
>=C2=A0 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
> index b81ad2f..1c9c351 100644
> --- a/main/lighttpd/APKBUILD
> +++ b/main/lighttpd/APKBUILD
> @@ -1,8 +1,8 @@
>=C2=A0 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>= ;
>=C2=A0 pkgname=3Dlighttpd
> -pkgver=3D1.4.35
> +pkgver=3D1.4.36
>=C2=A0 _streamver=3D2.2.0
> -pkgrel=3D2
> +pkgrel=3D0
>=C2=A0 pkgdesc=3D"a secure, fast, compliant and very flexible web-= server"
>=C2=A0 url=3D"http://www.lighttpd.net/"= ;
>=C2=A0 arch=3D"all"
> @@ -13,7 +13,7 @@ pkgusers=3D"lighttpd"
>=C2=A0 pkggroups=3D"lighttpd"
>=C2=A0 makedepends=3D"flex pcre-dev openssl-dev zlib-dev bzip2-dev= lua-dev pkgconfig
>=C2=A0 =C2=A0 =C2=A0 =C2=A0automake autoconf openldap-dev libxml2-dev s= qlite-dev libev-dev"
> -source=3D"http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkg= name-$pkgver.tar.bz2
> +source=3D"http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgn= ame-$pkgver.tar.gz
>=C2=A0 =C2=A0 =C2=A0 =C2=A0http://h264.code-shop.com/download/l= ighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0$pkgname.initd
> @@ -132,7 +132,7 @@ mod_webdav() {
>=C2=A0 }
>
>
> -md5sums=3D"f7a88130ee9984b421ad8aa80629750a=C2=A0 lighttpd-1.4.3= 5.tar.bz2
> +md5sums=3D"e439c18bcd90b1175fd118b9f2be4568=C2=A0 lighttpd-1.4.3= 6.tar.gz
>=C2=A0 ac37885c881a058194405232e7737a7a=C2=A0 lighttpd-1.4.18_mod_h264_= streaming-2.2.0.tar.gz
>=C2=A0 aa1f130f66607615143b2b497c55b177=C2=A0 lighttpd.initd
>=C2=A0 0dede109282bfe685bdec6b35f0e4b6b=C2=A0 lighttpd.confd
> @@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986=C2=A0 mime-types.= conf
>=C2=A0 9c1407e95f62ed22da66c4ef5f69c3b5=C2=A0 mod_cgi.conf
>=C2=A0 f3363e39832f1b6678468b482d121afb=C2=A0 mod_fastcgi.conf
>=C2=A0 aee5947a1abf380b0685a534ca384b42=C2=A0 mod_fastcgi_fpm.conf"= ;
> -sha256sums=3D"4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5= 170ca7f15c5bf7=C2=A0 lighttpd-1.4.35.tar.bz2
> +sha256sums=3D"8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d2= 17c4f489b1819b=C2=A0 lighttpd-1.4.36.tar.gz
>=C2=A0 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6= =C2=A0 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>=C2=A0 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16= =C2=A0 lighttpd.initd
>=C2=A0 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87= =C2=A0 lighttpd.confd
> @@ -152,7 +152,7 @@ sha256sums=3D"4a71c1f6d8af41ed894b507720c4c17= 184dc320590013881d5170ca7f15c5bf7=C2=A0 li
>=C2=A0 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf= =C2=A0 mod_cgi.conf
>=C2=A0 d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e= =C2=A0 mod_fastcgi.conf
>=C2=A0 e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043= =C2=A0 mod_fastcgi_fpm.conf"
> -sha512sums=3D"13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4b= a61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd87= 6b9=C2=A0 lighttpd-1.4.35.tar.bz2
> +sha512sums=3D"ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3= b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a= 359=C2=A0 lighttpd-1.4.36.tar.gz
>=C2=A0 12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f11051= 2146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351=C2=A0 ligh= ttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
>=C2=A0 3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c0103= 9746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61=C2=A0 ligh= ttpd.initd
>=C2=A0 93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef8= 03c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b=C2=A0 ligh= ttpd.confd
>

Any particular reason you chose to only upgrade a single version? The
latest release is 1.4.43 as of 2016-10-31.

Significant changes since 1.4.36:
- 1.4.37 has regression fixes against 1.4.36 from this APKBUILD
- 1.4.38
=C2=A0 =C2=A0- Several bugfixes relating to core functionality
=C2=A0 =C2=A0- Potential breakage with mod_secdownload requiring new config= option
- 1.4.39 has small regression fixes
- 1.4.40 is a major update with literally hundreds of resolved issues
- 1.4.41
=C2=A0 =C2=A0- Four security fixes, one relating to dropping group privileg= es
=C2=A0 =C2=A0- Potential breakage, long-deprecated config options removed a= nd will
=C2=A0 =C2=A0 =C2=A0now cause error instead of warning
- 1.4.42 has lots of bug xies
- 1.4.43 (latest) also has many bug fixes, including building against
=C2=A0 =C2=A0 =C2=A0OpenSSL 1.1.0+
--94eb2c0dbce20a049a05438659af-- --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---