Sergey Lukin: 1 main/lighttpd: security upgrade to 1.4.36 - fixes #4331 1 files changed, 6 insertions(+), 6 deletions(-)
Hi Seamus Caveney!
In this case package is prepared for Alpine Linux v3.1 stable release (the
oldest release where we still trying to fix security issues
http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases). In general, for
stable releases we are trying to avoid major upgrades with big changes and
trying to fix security bugs with minor upgrades (without vital changes) or
with fix-patches. In Alpine Edge we upgrade everything to latest version.
lighttpd 1.4.37 release notes say: "The internal API changed again, so
please be careful with 3rd party plugins." (
https://www.lighttpd.net/2015/8/30/1.4.37/)
Actually, it is good that you have asked this question. I was not accurate
enough to notice that lighttpd 1.4.36 already contains vital changes.
1.4.36 release notes say: "changes to the internal API for buffers, chunks
and more; 3rd party plugins are likely to break" (
https://www.lighttpd.net/2015/7/26/1.4.36/) So, I started to think that we
should avoid upgrading lighttpd to newer version and fix CVE-2015-3200
issue with patch.
On other hand, you are absolutely right, since 1.4.35 lots of bugs were
fixed in later version. Maybe I can ask Natanael Copa what would be the
preferable way to go.
Thank you for your feedback.
Sergey Lukin
пн, 12 дек. 2016 г. в 17:52, Seamus Caveney <scv@brinstar.org>:
On 2016-12-12 09:26, Sergey Lukin wrote:
> CVE-2015-3200
> ---
> main/lighttpd/APKBUILD | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
> index b81ad2f..1c9c351 100644
> --- a/main/lighttpd/APKBUILD
> +++ b/main/lighttpd/APKBUILD
> @@ -1,8 +1,8 @@
> # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
> pkgname=lighttpd
> -pkgver=1.4.35
> +pkgver=1.4.36
> _streamver=2.2.0
> -pkgrel=2
> +pkgrel=0
> pkgdesc="a secure, fast, compliant and very flexible web-server"
> url="http://www.lighttpd.net/"
> arch="all"
> @@ -13,7 +13,7 @@ pkgusers="lighttpd"
> pkggroups="lighttpd"
> makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev
pkgconfig
> automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
> -source="
http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
> +source="
http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz
http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
> $pkgname.initd
> @@ -132,7 +132,7 @@ mod_webdav() {
> }
>
>
> -md5sums="f7a88130ee9984b421ad8aa80629750a lighttpd-1.4.35.tar.bz2
> +md5sums="e439c18bcd90b1175fd118b9f2be4568 lighttpd-1.4.36.tar.gz
> ac37885c881a058194405232e7737a7a
lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/2662/mbox | git am -3Learn more about email & git
CVE-2015-3200 --- main/lighttpd/APKBUILD | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD index b81ad2f..1c9c351 100644 --- a/main/lighttpd/APKBUILD +++ b/main/lighttpd/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=lighttpd -pkgver=1.4.35 +pkgver=1.4.36 _streamver=2.2.0 -pkgrel=2 +pkgrel=0 pkgdesc="a secure, fast, compliant and very flexible web-server" url="http://www.lighttpd.net/" arch="all" @@ -13,7 +13,7 @@ pkgusers="lighttpd" pkggroups="lighttpd" makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev" -source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2 +source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.gz http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz $pkgname.initd @@ -132,7 +132,7 @@ mod_webdav() { } -md5sums="f7a88130ee9984b421ad8aa80629750a lighttpd-1.4.35.tar.bz2 +md5sums="e439c18bcd90b1175fd118b9f2be4568 lighttpd-1.4.36.tar.gz ac37885c881a058194405232e7737a7a lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz aa1f130f66607615143b2b497c55b177 lighttpd.initd 0dede109282bfe685bdec6b35f0e4b6b lighttpd.confd @@ -142,7 +142,7 @@ f3353baa4577703ec3a30c03482df986 mime-types.conf 9c1407e95f62ed22da66c4ef5f69c3b5 mod_cgi.conf f3363e39832f1b6678468b482d121afb mod_fastcgi.conf aee5947a1abf380b0685a534ca384b42 mod_fastcgi_fpm.conf" -sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7 lighttpd-1.4.35.tar.bz2 +sha256sums="8afc12cd40412cd94679f08725c68e4f5a3d91dfff7abc12d217c4f489b1819b lighttpd-1.4.36.tar.gz 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16 lighttpd.initd 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87 lighttpd.confd @@ -152,7 +152,7 @@ sha256sums="4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7 li 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf mod_cgi.conf d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e mod_fastcgi.conf e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043 mod_fastcgi_fpm.conf" -sha512sums="13f8562fb735964fe7ef1b127a15c43907f34be70b6bd2dd4ba61b59275d7c2a8d9a7947ff1a4d7cc5fd7efd309fc66b7de6d954b59424f814ea2eb98fd876b9 lighttpd-1.4.35.tar.bz2 +sha512sums="ecb88874dd81b5a469d94b8a1b03823b5b12cf49264d77f0d3b71cd4b537ffdd03595a3a471186c36cd9cfaebc5cff5c5f4037c2d8aeb83012ca224651f8a359 lighttpd-1.4.36.tar.gz 12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351 lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz 3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61 lighttpd.initd 93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b lighttpd.confd
Seamus Caveney <scv@brinstar.org>Any particular reason you chose to only upgrade a single version? The latest release is 1.4.43 as of 2016-10-31. Significant changes since 1.4.36: - 1.4.37 has regression fixes against 1.4.36 from this APKBUILD - 1.4.38 - Several bugfixes relating to core functionality - Potential breakage with mod_secdownload requiring new config option - 1.4.39 has small regression fixes - 1.4.40 is a major update with literally hundreds of resolved issues - 1.4.41 - Four security fixes, one relating to dropping group privileges - Potential breakage, long-deprecated config options removed and will now cause error instead of warning - 1.4.42 has lots of bug xies - 1.4.43 (latest) also has many bug fixes, including building against OpenSSL 1.1.0+ --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---
-- 2.2.1 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---