1. 27 Jan, 2022 1 commit
    • wangmy's avatar
      apache2: upgrade 2.4.51 -> 2.4.52 · 3775e663
      wangmy authored
      Changelog:
      ==========
       *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
           multipart content in mod_lua of Apache HTTP Server 2.4.51 and
           earlier (cve.mitre.org)
           A carefully crafted request body can cause a buffer overflow in
           the mod_lua multipart parser (r:parsebody() called from Lua
           scripts).
           The Apache httpd team is not aware of an exploit for the
           vulnerabilty though it might be possible to craft one.
           This issue affects Apache HTTP Server 2.4.51 and earlier.
      
        *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
           forward proxy configurations in Apache HTTP Server 2.4.51 and
           earlier (cve.mitre.org)
           A crafted URI sent to httpd configured as a forward proxy
           (ProxyRequests on) can cause a crash (NULL pointer dereference)
           or, for configurations mixing forward and reverse proxy
           declarations, can allow for requests to be directed to a
           declared Unix Domain Socket endpoint (Server Side Request
           Forgery).
           This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
           (included).
      
        *) http: Enforce that fully qualified uri-paths not to be forward-proxied
           have an http(s) scheme, and that the ones to be forward proxied have a
           hostname, per HTTP specifications.
      
        *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
           specified openssl path.
      
        *) mod_proxy_connect, mod_proxy: Do not change the status code after we
           already sent it to the client.
      
        *) mod_http: Correctly sent a 100 Continue status code when sending an interim
           response as result of an Expect: 100-Continue in the request and not the
           current status code of the request. PR 65725
      
        *) mod_dav: Some DAV extensions, like CalDAV, specify both document
           elements and property elements that need to be taken into account
           when generating a property. The document element and property element
           are made available in the dav_liveprop_elem structure by calling
           dav_get_liveprop_element().
      
        *) mod_dav: Add utility functions dav_validate_root_ns(),
           dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
           dav_find_attr() so that other modules get to play too.
      
        *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
      
        *) mod_http2: fixes 2 regressions in server limit handling.
           1. When reaching server limits, such as MaxRequestsPerChild, the
              HTTP/2 connection send a GOAWAY frame much too early on new
              connections, leading to invalid protocol state and a client
              failing the request. See PR65731.
              The module now initializes the HTTP/2 protocol correctly and
              allows the client to submit one request before the shutdown
              via a GOAWAY frame is being announced.
           2. A regression in v1.15.24 was fixed that could lead to httpd
              child processes not being terminated on a graceful reload or
              when reaching MaxConnectionsPerChild. When unprocessed h2
              requests were queued at the time, these could stall.
              See <https://github.com/icing/mod_h2/issues/212>.
      
        *) mod_ssl: Add build support for OpenSSL v3.
      
        *) mod_proxy_connect: Honor the smallest of the backend or client timeout
           while tunneling.
      
        *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
           half-close forwarding when tunneling protocols.
      
        *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
           a third-party module.  PR 65627.
      
        *) mod_md: Fix memory leak in case of failures to load the private key.
           PR 65620
      
        *) mod_md: adding v2.4.8 with the following changes
          - Added support for ACME External Account Binding (EAB).
            Use the new directive `MDExternalAccountBinding` to provide the
            server with the value for key identifier and hmac as provided by
            your CA.
            While working on some servers, EAB handling is not uniform
            across CAs. First tests with a Sectigo Certificate Manager in
            demo mode are successful. But ZeroSSL, for example, seems to
            regard EAB values as a one-time-use-only thing, which makes them
            fail if you create a seconde account or retry the creation of the
            first account with the same EAB.
          - The directive 'MDCertificateAuthority' now checks if its parameter
            is a http/https url or one of a set of known names. Those are
            'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
            for now and they are not case-sensitive.
            The default of LetsEncrypt is unchanged.
          - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
            section.
          - Treating 401 HTTP status codes for orders like 403, since some ACME
            servers seem to prefer that for accessing oders from other accounts.
          - When retrieving certificate chains, try to read the repsonse even
            if the HTTP Content-Type is unrecognized.
          - Fixed a bug that reset the error counter of a certificate renewal
            and prevented the increasing delays in further attempts.
          - Fixed the renewal process giving up every time on an already existing
            order with some invalid domains. Now, if such are seen in a previous
            order, a new order is created for a clean start over again.
            See <https://github.com/icing/mod_md/issues/268
      
      >
          - Fixed a mixup in md-status handler when static certificate files
            and renewal was configured at the same time.
      
        *) mod_md: values for External Account Binding (EAB) can
           now also be configured to be read from a separate JSON
           file. This allows to keep server configuration permissions
           world readable without exposing secrets.
      
        *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
           PR 65616.
      Signed-off-by: default avatarWang Mingyu <wangmy@fujitsu.com>
      Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
      (cherry picked from commit ea76fc64
      
      )
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      3775e663
  2. 31 Dec, 2021 2 commits
  3. 27 Dec, 2021 5 commits
  4. 05 Dec, 2021 1 commit
  5. 18 Nov, 2021 3 commits
    • Khem Raj's avatar
      sdbus-c++-libsystemd: Avoid hard dependency on rsync · 4932616b
      Khem Raj authored
      Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
      (cherry picked from commit dcb8ab61
      
      )
      [Fixup for hardknott context]
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      4932616b
    • Martin Jansa's avatar
      sdbus-c++: don't fetch googletest during do_configure · 42d05b0f
      Martin Jansa authored
      * with PTEST_ENABLED it enables with-tests PACKAGECONFIG which
        instead of using system googletest gmock, tries to fetch googletest
        from github and fails because branch was recently renamed from master to main
      
      | -- Found PkgConfig: /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/bin/pkg-config (found version "0.29.2")
      | -- Checking for module 'libsystemd>=236'
      | --   Found libsystemd, version 249
      | -- Building with tests
      | Fetching googletest...
      | [1/9] Creating directories for 'googletest-populate'
      | [1/9] Performing download step (git clone) for 'googletest-populate'
      | Cloning into 'googletest-src'...
      | fatal: invalid reference: master
      | CMake Error at googletest-subbuild/googletest-populate-prefix/tmp/googletest-populate-gitclone.cmake:40 (message):
      |   Failed to checkout tag: 'master'
      |
      |
      | FAILED: googletest-populate-prefix/src/googletest-populate-stamp/googletest-populate-download
      | cd /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/build/_deps && /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/bin/cmake -P /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/build/_deps/googletest-subbuild/googletest-populate-prefix/tmp/googletest-populate-gitclone.cmake && /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/bin/cmake -E touch /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/build/_deps/googletest-subbuild/googletest-populate-prefix/src/googletest-populate-stamp/googletest-populate-download
      | ninja: build stopped: subcommand failed.
      |
      | CMake Error at /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/share/cmake-3.19/Modules/FetchContent.cmake:989 (message):
      |   Build step for googletest failed: 1
      | Call Stack (most recent call first):
      |   /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/share/cmake-3.19/Modules/FetchContent.cmake:1118:EVAL:2 (__FetchContent_directPopulate)
      |   /OE/tmp-glibc/work/qemux86-oe-linux/sdbus-c++/0.8.3-r0/recipe-sysroot-native/usr/share/cmake-3.19/Modules/FetchContent.cmake:1118 (cmake_language)
      |   tests/CMakeLists.txt:17 (FetchContent_Populate)
      |
      |
      | -- Configuring incomplete, errors occurred!
      
      * unfortunately this backported patch fixes the fetching failure, because
        it uses release-${GOOGLETEST_VERSION} tag instead of now non-existent
        master branch, but is not enough to prevent fetching from github during
        do_configure:
      
        -- Building with tests
        -- Could NOT find GTest (missing: GTest_DIR)
        -- Checking for module 'gmock>=1.10.0'
        --   No package 'gmock' found
        Fetching googletest...
      
        we also need to add googletest dependency to with-tests PACKAGECONFIG was fixed in meta-oe/master with the upgrade to 1.0.0:
        https://github.com/openembedded/meta-openembedded/commit/b26b66e5da92718b4e99a57fbfaaef9e751c3cfe#diff-48a847e7323703994fd2ce0fcb731ff860fa955a77cdfe39d71a9cc84a042c06L15
      
      
      
        then it's ok and not fetching:
      
        -- Building with tests
        -- Looking for pthread.h
        -- Looking for pthread.h - found
      Signed-off-by: default avatarMartin Jansa <Martin.Jansa@gmail.com>
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      42d05b0f
    • Changqing Li's avatar
  6. 16 Nov, 2021 1 commit
  7. 13 Nov, 2021 1 commit
  8. 07 Nov, 2021 1 commit
  9. 02 Nov, 2021 3 commits
  10. 30 Oct, 2021 1 commit
  11. 29 Oct, 2021 2 commits
  12. 23 Oct, 2021 2 commits
  13. 19 Oct, 2021 2 commits
  14. 08 Oct, 2021 4 commits
  15. 26 Sep, 2021 4 commits
    • wangmy's avatar
      apache2: upgrade 2.4.48 -> 2.4.49 · f44e1a2b
      wangmy authored
      
      Changes with Apache 2.4.49
      
        *) SECURITY: CVE-2021-40438 (cve.mitre.org)
           mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
      
        *) SECURITY: CVE-2021-39275 (cve.mitre.org)
           core: ap_escape_quotes buffer overflow
      
        *) SECURITY: CVE-2021-36160 (cve.mitre.org)
           mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
      
        *) SECURITY: CVE-2021-34798 (cve.mitre.org)
           core: null pointer dereference on malformed request
      
        *) SECURITY: CVE-2021-33193 (cve.mitre.org)
           mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
      
        *) core/mod_proxy/mod_ssl:
           Adding `outgoing` flag to conn_rec, indicating a connection is
           initiated by the server to somewhere, in contrast to incoming
           connections from clients.
           Adding 'ap_ssl_bind_outgoing()` function that marks a connection
           as outgoing and is used by mod_proxy instead of the previous
           optional function `ssl_engine_set`. This enables other SSL
           module to secure proxy connections.
           The optional functions `ssl_engine_set`, `ssl_engine_disable` and
           `ssl_proxy_enable` are now provided by the core to have backward
           compatibility with non-httpd modules that might use them. mod_ssl
           itself no longer registers these functions, but keeps them in its
           header for backward compatibility.
           The core provided optional function wrap any registered function
           like it was done for `ssl_is_ssl`.
           [Stefan Eissing]
      
        *) mod_ssl: Support logging private key material for use with
           wireshark via log file given by SSLKEYLOGFILE environment
           variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]
      
        *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
           "ProxyPassInterpolateEnv On" are configured.  PR 65549.
           [Joel Self <joelself gmail.com>]
      
        *) mpm_event: Fix children processes possibly not stopped on graceful
           restart.  PR 63169.  [Joel Self <joelself gmail.com>]
      
        *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
           protocols from mod_proxy_http, and a timeout triggering falsely when
           using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
           upgrade= setting.  PRs 65521 and 65519.  [Yann Ylavic]
      
        *) mod_unique_id: Reduce the time window where duplicates may be generated
           PR 65159
           [Christophe Jaillet]
      
        *) mpm_prefork: Block signals for child_init hooks to prevent potential
           threads created from there to catch MPM's signals.
           [Ruediger Pluem, Yann Ylavic]
      
        *) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
           PR 65159" added in 2.4.47.
           This causes issue on Windows.
           [Christophe Jaillet]
      
        *) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.  [Yann Ylavic]
      
        *) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
           as successful or a staged renewal is replacing the existing certificates.
           This avoid potential mess ups in the md store file system to render the active
           certificates non-working. [@mkauf]
      
        *) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
           [Yann Ylavic]
      
        *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
           connections. If ALPN protocols are provided and sent to the
           remote server, the received protocol selected is inspected
           and checked for a match. Without match, the peer handshake
           fails.
           An exception is the proposal of "http/1.1" where it is
           accepted if the remote server did not answer ALPN with
           a selected protocol. This accomodates for hosts that do
           not observe/support ALPN and speak http/1.x be default.
      
        *) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
           with others when their URLs contain a '$' substitution.  PR 65419 + 65429.
           [Yann Ylavic]
      
        *) mod_dav: Add method_precondition hook. WebDAV extensions define
           conditions that must exist before a WebDAV method can be executed.
           This hook allows a WebDAV extension to verify these preconditions.
           [Graham Leggett]
      
        *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
           modules apart from versioning implementations to handle the REPORT method.
           [Graham Leggett]
      
        *) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
           dav_get_resource() to mod_dav.h. [Graham Leggett]
      
        *) core: fix ap_escape_quotes substitution logic. [Eric Covener]
      
        *) Easy patches: synch 2.4.x and trunk
           - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
           - mod_ldap: log and abort locking errors.
           - mod_ldap: style fix for r1831165
           - mod_ldap: build break fix for r1831165
           - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
           - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
           - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
           - mod_rewrite: Save a few cycles.
           - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
           - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
          [Christophe Jaillet]
      
        *) core/mpm: add hook 'child_stopping` that gets called when the MPM is
           stopping a child process. The additional `graceful` parameter allows
           registered hooks to free resources early during a graceful shutdown.
           [Yann Ylavic, Stefan Eissing]
      
        *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
           balancer-manager, which can lead to a crash.  [Yann Ylavic]
      
        *) mpm_event: Fix graceful stop/restart of children processes if connections
           are in lingering close for too long.  [Yann Ylavic]
      
        *) mod_md: fixed a potential null pointer dereference if ACME/OCSP
           server returned 2xx responses without content type. Reported by chuangwen.
           [chuangwen, Stefan Eissing]
      
        *) mod_md:
           - Domain names in `<MDomain ...>` can now appear in quoted form.
           - Fixed a failure in ACME challenge selection that aborted further searches
             when the tls-alpn-01 method did not seem to be suitable.
           - Changed the tls-alpn-01 setup to only become unsuitable when none of the
             dns names showed support for a configured 'Protocols ... acme-tls/1'. This
             allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
           [Stefan Eissing]
      
        *) Add CPING to health check logic. [Jean-Frederic Clere]
      
        *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
      
        *) core, h2: common ap_parse_request_line() and ap_check_request_header()
           code. [Yann Ylavic]
      
        *) core: Add StrictHostCheck to allow unconfigured hostnames to be
           rejected. [Eric Covener]
      
        *) htcacheclean: Improve help messages.  [Christophe Jaillet]
      Signed-off-by: default avatarWang Mingyu <wangmy@fujitsu.com>
      Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
      (cherry picked from commit 54a96fa4
      
      )
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      f44e1a2b
    • zangrc's avatar
      dash: upgrade 0.5.11.3 -> 0.5.11.5 · 135af4f1
      zangrc authored
      
      parser: Fix VSLENGTH parsing with trailing garbage
      eval: Do not cache value of eflag in evaltree
      Signed-off-by: default avatarZang Ruochen <zangrc.fnst@fujitsu.com>
      Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
      (cherry picked from commit 633f2115
      
      )
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      135af4f1
    • zangrc's avatar
      crash: upgrade 7.2.9 -> 7.3.0 · 929c2eeb
      zangrc authored
      
      Refresh the following patch:
      donnot-extract-gdb-during-do-compile.patch
      remove-unrecognized-gcc-option-m32-for-mips.patch
      
      0001-printk-add-support-for-lockless-ringbuffer.patch
      0002-printk-use-committed-finalized-state-values.patch
      Removed since these are included in 7.3.0.
      Signed-off-by: default avatarZang Ruochen <zangrc.fnst@fujitsu.com>
      Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
      (cherry picked from commit c833f024
      
      )
      [Fixes issue with 5.10 kernel]
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      929c2eeb
    • Alexander Kanavin's avatar
      can-utils: rrecommend iproute2 to make it possible to configure can interfaces · 62a8dfa7
      Alexander Kanavin authored
      
      This replicates the fix from canutils.bb, for the same issue. See the link
      in the comment for details.
      Signed-off-by: default avatarAlexander Kanavin <alex@linutronix.de>
      Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
      (cherry picked from commit 020b87ad
      
      )
      Signed-off-by: default avatarArmin Kuster <akuster808@gmail.com>
      62a8dfa7
  16. 20 Sep, 2021 1 commit
  17. 15 Sep, 2021 1 commit
  18. 14 Sep, 2021 1 commit
  19. 09 Sep, 2021 1 commit
  20. 07 Sep, 2021 3 commits