From: Peter Korsgaard <peter@korsgaard.com>
To: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15
Date: Sun, 28 Jan 2024 08:56:57 +0100 [thread overview]
Message-ID: <87wmrtzy9i.fsf@48ers.dk> (raw)
In-Reply-To: <ZbVmT0V0pDW6IegC@landeda> (Yann E. MORIN's message of "Sat, 27 Jan 2024 21:23:43 +0100")
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Peter, All,
> On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly:
>> Fixes the following security issues:
>>
>> CVE-2024-23770: Local Leak of Authentication Parameter in Process List
>>
>> CVE-2024-23771: Basic Auth Timing Attack
>>
>> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html
>>
>> Notice that CVE-2024-23770 is only documented as a known weakness, not
>> fixed.
>>
>> Also change the license logic to use the dedicated COPYING file available
>> since 1.14:
>>
>> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd
>>
>> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match.
> This means the licensing stuff should be backported to the maintenance
> branches, and should thus have been a separate patch prior to the
> version bump.
> But since this is a security fix, I guess you'll want to backport the
> version bump too. And since the odlest stable, 2023.02, already had
> darkhttpd 1.14, it is possibe to backport the version bump to all
> maintenance branches.
> Thus, I considered splitting, got slightly cat-distracted, and pushed
> without splitting.
Hehe ;) That was indeed also the reason why I didn't do the effort to
split it in multiple patches.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-01-28 7:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 13:57 [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 Peter Korsgaard
2024-01-27 20:23 ` Yann E. MORIN
2024-01-28 7:56 ` Peter Korsgaard [this message]
2024-02-28 16:43 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wmrtzy9i.fsf@48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=eric.le.bihan.dev@free.fr \
--cc=yann.morin.1998@free.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.