From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.
Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.
This also does away with uidmin/gidmin 99. The default is 100, which is
fine.
Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.
It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.
[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This minor version bump fixes:
CVE-2020-1934
CVE-2020-1927
Upstream added cross-compile compatibility to apxs, so we can drop a sed
script. Upstream also added the OpenWrt layout, so we can drop our local
copy.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This script notifies users about the changes that recently went into the
package, to prevent surprises.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This is a squash of the following cherry-picked commits:
14f4f0bef04e6bdd8a49c8aba5113b2d188fd37f31e0d618e539e68309e8a1472254dbd6476f30bb258967b0d2e94a08298e6bd63d24f066bb68a7b6d44ad09fcd
Short summary:
- version is bumped to 2.4.41
- httpd is renamed to apache2 to avoid overwriting of other servers (for
instance busybox's httpd)
- the name apache2 is now also used for directories, for instance
/etc/apache2 instead of /etc/apache
- a simple init script it added (/etc/init.d/apache2)
- a user "apache" is added upon package installation and used by default
- adds the Apache modules (in the main package as well as in additional
packages)
- Makefile and patches are updated and cleaned
- adds myself as maintainer
- improves the cross-compile setup (via configure variables, patches &
sed scripts)
- apxs is fixed up so that external modules can be added easily
For more details please check the individual commits provided above.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- fix CVE-2017-9798
- fix#4926
make http2 support configurable, in case of enables libnghttp2
package dont build http2. instead use CONFIG_APACHE_HTTP2 to
enable http2 support
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
fix Makefile chmod (644)
replace MD5SUM with HASH
add PKG_MIRROR_HASH when PKG_SOURCE_PROTO:=git
(PKG_SOURCE_PROTO:=svn tarballs are not reproducible for now)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
