The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.
Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.
This also does away with uidmin/gidmin 99. The default is 100, which is
fine.
Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.
It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.
[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This minor version bump fixes:
CVE-2020-1934
CVE-2020-1927
Upstream added cross-compile compatibility to apxs, so we can drop a sed
script. Upstream also added the OpenWrt layout, so we can drop our local
copy.
The OpenSSL patch to remove deprecated symbols doesn't apply anymore and
gets removed.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
gettid happens to be supported by all glibc, musl and uclibc, but
configure cannot detect it when cross-compiling. This adds a configure
variable for it.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
In OpenWrt this module is available, but not part of the main package.
This commit disables the LoadModule directive for this module. Otherwise
following the installation of the main apache package the start of the
server would fail (due to the absence of this particular module).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This way there's no need to worry about overwriting another httpd binary
or symlink from another package, for example busyboxes httpd.
The init script is also renamed to apache2 for consistency.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- helps build system to locate zlib
- adds depend on libgdbm if libaprutil-dbm-gdbm is selected
This fixes the two different build failures that can currently be
observed.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
The package doesn't need to install _everything_ to staging. This commit
reduces the amount of files that get copied over to staging. Currently
there's no package depending on apache anyway.
This adds sed scripts from buildroot (thanks!) to fix two files that are
important for cross-compiling external modules. This has been tested and
was confirmed to work with mod_gnutls taken as an example package.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Also preinst and postrm are removed. busybox's httpd isn't installed by
default, so these gimmicks seem antiquated.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This adds extra packages for certain modules (basically the ones that
incur further dependencies), support files etc. This is pretty much
follows Alpine's example.
This updates the httpd.conf patch to _not_ uncomment MIMEMagicFile
(because the module isn't loaded by default) and removes that changes
that aren't needed anymore (because of the added module support). The
patch now only changes the default user.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This gets rid of flags. For instance $(FPIC) shouldn't be forced onto
applications (see [1]).
And CONFIGURE_ARGS + CONFIGURE_VARS are broken out of Build/Configure.
This way more arguments can be added easily in the future.
The target is changed from apache to apache2 (which is used by upstream
by default). the CONFIGURE_ARGS are changed where need to enable
modules.
This also renames one patch that fixes scoreboard location (the name
004-pidfile_fix.patch didn't describe what it's doing).
Now with the OpenWrt layout in place 003-logdir_fix.patch can be
removed.
[1] https://wiki.gentoo.org/wiki/Project:Hardened/Position_Independent_Code_internals
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- version bump
- update license description
- add PKG_BUILD_PARALLEL:=1
- remove two cross-compile patches and replace them with the
cross-compile patch from buildroot (adds autoreconf to get this going)
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- fix CVE-2017-9798
- fix#4926
make http2 support configurable, in case of enables libnghttp2
package dont build http2. instead use CONFIG_APACHE_HTTP2 to
enable http2 support
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
fix Makefile chmod (644)
replace MD5SUM with HASH
add PKG_MIRROR_HASH when PKG_SOURCE_PROTO:=git
(PKG_SOURCE_PROTO:=svn tarballs are not reproducible for now)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>