As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 845d81ca0976c82829addc23e9e8b95885c910ee)
This reverts commit 0ddec62e69 as it was
backport too soon, we need to first wait for fixed libwolfssl being
available.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 845d81ca0976c82829addc23e9e8b95885c910ee)
depend on libpcre2 instead of libpcre
also remove patches incorporated upstream into lighttpd 1.4.62
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
reload_server() gracefully with SIGUSR1 to lighttpd
relog() to reopen log files with SIGHUP to lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* update upstream version to lighttpd-1.4.56
* depend on Nettle for MD5, SHA1, SHA256
* multiple TLS options: gnutls, mbedtls, nss, openssl, wolfssl
* new module mod_authn_dbi
* mod_authn_* depend on mod_auth
* mod_authn_file is included if mod_auth is selected in build
* mod_vhostdb_* depend on mod_vhostdb
* mod_deflate subsumes mod_compress
* remove from Makefile the include of nls.mk (no longer needed)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
If lighttpd loads mod-auth, it also automatically tries to load
mod-authn_file, and fails if it's not available. That is a compatibility
feature of lighttpd after the funtionality was split into modules.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
Simplifies the Makefile and allows faster compilation with Ninja.
Added patch to fix libmariadb dependency.
Added extra modules.
Speed Before:
time make package/lighttpd/compile -j 12
Executed in 47.91 secs fish external
usr time 41.83 secs 384.00 micros 41.83 secs
sys time 10.79 secs 37.00 micros 10.79 secs
Speed After:
time make package/lighttpd/compile -j 12
Executed in 19.67 secs fish external
usr time 42.79 secs 377.00 micros 42.79 secs
sys time 8.56 secs 37.00 micros 8.56 secs
Tested with fish shell.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Add new subpackage containing pam authentication module. Shouldn't
affect dependencies and nothing changes, there is just one more module
enabled for people interested in it.
Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
- Correct SPDX License Identifier
- Move MAINTAINER, SUBMENU to more appropriate place
- Use HTTPS in URL
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
lighttpd-mod-auth has to be installed with lighttpd-mod-authn_file,
otherwise an error will appear even when auth.backend is not "plain".
(plugin.c.229) dlopen() failed for: /usr/lib/lighttpd/mod_authn_file.so Error loading shared library /usr/lib/lighttpd/mod_authn_file.so: No such file or directory
Signed-off-by: David Yang <mmyangfl@gmail.com>
With the current layout CONFIGURE_ARGS can end up like this:
--with-mysql --without-mysql
To avoid that join the ifneqs of the two mysql related plugins.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
At 1.4.48, base64 decode is broken when libc sees `char` as `unsigned char`
d4083effab?diff=unified
Signed-off-by: Xavier Franquet <xavier@franquet.es>
If we're built with CONFIG_LIGHTTPD_SSL then mod_openssl.so should
be included into the base package. Fixes issue #5343.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
All of the bugs for which we had patches have been fixed upstream
in 1.4.46, so the patches can be dropped.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Glenn Strauss
Petr Štetiar
Rosen Penev
Ilya Lipnitskiy
Jan Pavlinec
Jan Kardell
Michal Hrusecky
Josef Schlehofer
W. Michael Petullo
David Yang
Sebastian Kemper
Xavier Franquet
Vincent Riou
Michael Heimpold
Philip Prindeville