From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51
Date: Tue, 30 Oct 2018 11:21:51 +0100 [thread overview]
Message-ID: <20181030102152.9755-1-peter@korsgaard.com> (raw)
Fixes the following security issues:
1.4.50:
[mod_alias] security: potential path traversal with specific configs
[core] security: use-after-free invalid Range req
[mod_alias] security: path traversal in mod_alias (in some use cases) (fixes #2898)
[core] security: use-after-free after invalid Range request (fixes #2899)
1.4.51:
[core,security] process headers after combining folded headers
[mod_userdir] security: skip username ?.? and ?..?
1.4.51 brings optional pam and wolfssl support. Explicitly disable these
options for now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/lighttpd/lighttpd.hash | 4 ++--
package/lighttpd/lighttpd.mk | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/lighttpd/lighttpd.hash b/package/lighttpd/lighttpd.hash
index c99e240c7b..0829c6b4c9 100644
--- a/package/lighttpd/lighttpd.hash
+++ b/package/lighttpd/lighttpd.hash
@@ -1,4 +1,4 @@
-# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.49.sha256sum
-sha256 aedf49d7127d9e4c0ea56618e9e945a17674dc46a37ac7990120f87dd939ce09 lighttpd-1.4.49.tar.xz
+# From https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.51.sha256sum
+sha256 2af9fdb265d1f025bfa634e13770239712ecbd585e4975b8226edf1df74e9c82 lighttpd-1.4.51.tar.xz
# Locally calculated
sha256 5c98cad2fbaf5c5e2562bcbab401a7c557c1bb1bac9914ecc63730925052fb13 COPYING
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 06561e9f55..44bee6f90f 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -5,13 +5,15 @@
################################################################################
LIGHTTPD_VERSION_MAJOR = 1.4
-LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).49
+LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).51
LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3-Clause
LIGHTTPD_LICENSE_FILES = COPYING
LIGHTTPD_DEPENDENCIES = host-pkgconf
LIGHTTPD_CONF_OPTS = \
+ --without-pam \
+ --without-wolfssl \
--libdir=/usr/lib/lighttpd \
--libexecdir=/usr/lib
--
2.11.0
next reply other threads:[~2018-10-30 10:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-30 10:21 Peter Korsgaard [this message]
2018-10-30 10:21 ` [Buildroot] [PATCH 2/2] lighttpd: add optional pam support Peter Korsgaard
2018-10-30 11:38 ` Baruch Siach
2018-10-30 13:49 ` Peter Korsgaard
2018-10-30 12:43 ` Matthew Weber
2018-10-31 9:24 ` Thomas Petazzoni
2018-10-30 20:04 ` [Buildroot] [PATCH 1/2] lighttpd: security bump to version 1.14.51 Peter Korsgaard
2018-11-13 23:11 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181030102152.9755-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox