[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Bernd Kuhls]

Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46

Release notes: https://downloads.apache.org/httpd/Announcement2.4.html

Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
https://httpd.apache.org/security/vulnerabilities_24.html

Added all hashes provided by upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/apache/apache.hash | 10 ++++++++--
 package/apache/apache.mk   |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/package/apache/apache.hash b/package/apache/apache.hash
index 7b0e4ad8e7..4fe457d701 100644
--- a/package/apache/apache.hash
+++ b/package/apache/apache.hash
@@ -1,4 +1,10 @@
-# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256
-sha256  a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43  httpd-2.4.43.tar.bz2
+# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.md5
+md5  7d661ea5e736dac5e2761d9f49fe8361  httpd-2.4.46.tar.bz2
+# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha1
+sha1  1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb  httpd-2.4.46.tar.bz2
+# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha256
+sha256  740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea  httpd-2.4.46.tar.bz2
+# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha512
+sha512  5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13  httpd-2.4.46.tar.bz2
 # Locally computed
 sha256  47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43  LICENSE
diff --git a/package/apache/apache.mk b/package/apache/apache.mk
index 068f36e325..203d637fbb 100644
--- a/package/apache/apache.mk
+++ b/package/apache/apache.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-APACHE_VERSION = 2.4.43
+APACHE_VERSION = 2.4.46
 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
 APACHE_SITE = http://archive.apache.org/dist/httpd
 APACHE_LICENSE = Apache-2.0
-- 
2.27.0

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Yann E. MORIN]

Bernd, All,

On 2020-08-07 19:11 +0200, Bernd Kuhls spake thusly:
> Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46
> 
> Release notes: https://downloads.apache.org/httpd/Announcement2.4.html
> 
> Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
> https://httpd.apache.org/security/vulnerabilities_24.html
> 
> Added all hashes provided by upstream.

md5 and sha1 are broken nowadays, so adding them is not interesting at
all, when there are better hashes available, which is the case here.

So I've dropped md5 and sha1, and used a single comment to refer to both
upstream locations.

Applied to master, thanks.

> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  package/apache/apache.hash | 10 ++++++++--
>  package/apache/apache.mk   |  2 +-
>  2 files changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/package/apache/apache.hash b/package/apache/apache.hash
> index 7b0e4ad8e7..4fe457d701 100644
> --- a/package/apache/apache.hash
> +++ b/package/apache/apache.hash
> @@ -1,4 +1,10 @@
> -# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256
> -sha256  a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43  httpd-2.4.43.tar.bz2
> +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.md5
> +md5  7d661ea5e736dac5e2761d9f49fe8361  httpd-2.4.46.tar.bz2
> +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha1
> +sha1  1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb  httpd-2.4.46.tar.bz2
> +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha256
> +sha256  740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea  httpd-2.4.46.tar.bz2
> +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha512
> +sha512  5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13  httpd-2.4.46.tar.bz2
>  # Locally computed
>  sha256  47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43  LICENSE
> diff --git a/package/apache/apache.mk b/package/apache/apache.mk
> index 068f36e325..203d637fbb 100644
> --- a/package/apache/apache.mk
> +++ b/package/apache/apache.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -APACHE_VERSION = 2.4.43
> +APACHE_VERSION = 2.4.46
>  APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
>  APACHE_SITE = http://archive.apache.org/dist/httpd
>  APACHE_LICENSE = Apache-2.0
> -- 
> 2.27.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Peter Seiderer]

Hello Yann, *,

On Fri, 7 Aug 2020 21:26:57 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> Bernd, All,
>
> On 2020-08-07 19:11 +0200, Bernd Kuhls spake thusly:
> > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46
> >
> > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html
> >
> > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
> > https://httpd.apache.org/security/vulnerabilities_24.html
> >
> > Added all hashes provided by upstream.
>
> md5 and sha1 are broken nowadays, so adding them is not interesting at
> all, when there are better hashes available, which is the case here.

If this handling is the new rule, then it is time to update the docs
stating 'If upstream provides more than one type of hash (e.g. sha1 and sha512),
then it is best to add all those hashes in the .hash file.'?

Regards,
Peter

>
> So I've dropped md5 and sha1, and used a single comment to refer to both
> upstream locations.
>
> Applied to master, thanks.
>
> > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> > ---
> >  package/apache/apache.hash | 10 ++++++++--
> >  package/apache/apache.mk   |  2 +-
> >  2 files changed, 9 insertions(+), 3 deletions(-)
> >
> > diff --git a/package/apache/apache.hash b/package/apache/apache.hash
> > index 7b0e4ad8e7..4fe457d701 100644
> > --- a/package/apache/apache.hash
> > +++ b/package/apache/apache.hash
> > @@ -1,4 +1,10 @@
> > -# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256
> > -sha256  a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43  httpd-2.4.43.tar.bz2
> > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.md5
> > +md5  7d661ea5e736dac5e2761d9f49fe8361  httpd-2.4.46.tar.bz2
> > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha1
> > +sha1  1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb  httpd-2.4.46.tar.bz2
> > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha256
> > +sha256  740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea  httpd-2.4.46.tar.bz2
> > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha512
> > +sha512  5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13  httpd-2.4.46.tar.bz2
> >  # Locally computed
> >  sha256  47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43  LICENSE
> > diff --git a/package/apache/apache.mk b/package/apache/apache.mk
> > index 068f36e325..203d637fbb 100644
> > --- a/package/apache/apache.mk
> > +++ b/package/apache/apache.mk
> > @@ -4,7 +4,7 @@
> >  #
> >  ################################################################################
> >
> > -APACHE_VERSION = 2.4.43
> > +APACHE_VERSION = 2.4.46
> >  APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
> >  APACHE_SITE = http://archive.apache.org/dist/httpd
> >  APACHE_LICENSE = Apache-2.0
> > --
> > 2.27.0
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Yann E. MORIN]

Peter, All,

On 2020-08-07 22:56 +0200, Peter Seiderer spake thusly:
> On Fri, 7 Aug 2020 21:26:57 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> > On 2020-08-07 19:11 +0200, Bernd Kuhls spake thusly:
> > > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46
> > >
> > > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html
> > >
> > > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
> > > https://httpd.apache.org/security/vulnerabilities_24.html
> > >
> > > Added all hashes provided by upstream.
> >
> > md5 and sha1 are broken nowadays, so adding them is not interesting at
> > all, when there are better hashes available, which is the case here.
> 
> If this handling is the new rule, then it is time to update the docs
> stating 'If upstream provides more than one type of hash (e.g. sha1 and sha512),
> then it is best to add all those hashes in the .hash file.'?

I wrote that more than 6 years ago now. ;-) Things have changed since
then.

The hashes are there to guarantee that the archives have not be tampered
with, so that we know that:

 1. there was no technical issue downloading the archive (e.g. partial
    download, proxy playing tricks, etc...),

 2. upstream did not re-release the same version with a different
    content, so that we know our patches would or would not apply for
    example,

 3. the source code has not been tampered with, so that no ill source
    code has been injected (either in-transit, or if upstream got
    compromised).

md5 is broken, there is no point in using it. If that's the only thing
upstream provides, we can carry it, but if upstream provides better
hashes, md5 brings nothing to address the above, especially point 3.

sha1 is not yet fully broken, but it is no longer trusted, and everyone
is moving away from it. If upstream only provides sha1, we can carry it,
but if upstream provides better hashes, then we should not _add_ sha1
(but we can continue to update an existing one we already carry). While
sha1 is still OK-ish to address accidental tampering (point 1) or
non-malicious modifications (point 2, and even then), it is now
useless to address malicious tampering (point 3).

This is the point of view hashes should be looked at from.

In this case, upstream provides two strong hashes, sha256 and sha512;
adding md5 is totally useless, while adding sha1 is borderline useless.

For the records:

  - md5 [0] was introduced 1991, and the first security issues were
    identified in 1993, and the first collisions reported in 1996.

  - sha1 [1] was introduced in 1995, is considered weak since 2005 (15
    years ago!), disallowed for signatures by NIST since 2013, and
    chosen-prefix attacks are a thing since this year.

[0] https://en.wikipedia.org/wiki/MD5
[1] https://en.wikipedia.org/wiki/SHA-1

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 > The hashes are there to guarantee that the archives have not be tampered
 > with, so that we know that:

 >  1. there was no technical issue downloading the archive (e.g. partial
 >     download, proxy playing tricks, etc...),

 >  2. upstream did not re-release the same version with a different
 >     content, so that we know our patches would or would not apply for
 >     example,

 >  3. the source code has not been tampered with, so that no ill source
 >     code has been injected (either in-transit, or if upstream got
 >     compromised).

 > md5 is broken, there is no point in using it. If that's the only thing
 > upstream provides, we can carry it, but if upstream provides better
 > hashes, md5 brings nothing to address the above, especially point 3.

 > sha1 is not yet fully broken, but it is no longer trusted, and everyone
 > is moving away from it. If upstream only provides sha1, we can carry it,
 > but if upstream provides better hashes, then we should not _add_ sha1
 > (but we can continue to update an existing one we already carry). While
 > sha1 is still OK-ish to address accidental tampering (point 1) or
 > non-malicious modifications (point 2, and even then), it is now
 > useless to address malicious tampering (point 3).

 > This is the point of view hashes should be looked at from.

 > In this case, upstream provides two strong hashes, sha256 and sha512;
 > adding md5 is totally useless, while adding sha1 is borderline useless.

 > For the records:

 >   - md5 [0] was introduced 1991, and the first security issues were
 >     identified in 1993, and the first collisions reported in 1996.

 >   - sha1 [1] was introduced in 1995, is considered weak since 2005 (15
 >     years ago!), disallowed for signatures by NIST since 2013, and
 >     chosen-prefix attacks are a thing since this year.

This is all true, but generating a single rogue file with BOTH a md5 and
sha1 collision and still being a valid compressed tarball is extremely
unlikely, so I have no issues with listing them (together with a
manually calculated sha256) if upstream doesn't provide sha256 or
better.

If upstream does provide sha256 or better then there indeed isn't much
point in adding the older hashes as well.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Peter Seiderer]

Hello Yann, Peter,

On Sat, 08 Aug 2020 23:12:06 +0200, Peter Korsgaard <peter@korsgaard.com> wrote:

> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>
> Hi,
>
>  > The hashes are there to guarantee that the archives have not be tampered
>  > with, so that we know that:
>
>  >  1. there was no technical issue downloading the archive (e.g. partial
>  >     download, proxy playing tricks, etc...),
>
>  >  2. upstream did not re-release the same version with a different
>  >     content, so that we know our patches would or would not apply for
>  >     example,
>
>  >  3. the source code has not been tampered with, so that no ill source
>  >     code has been injected (either in-transit, or if upstream got
>  >     compromised).
>
>  > md5 is broken, there is no point in using it. If that's the only thing
>  > upstream provides, we can carry it, but if upstream provides better
>  > hashes, md5 brings nothing to address the above, especially point 3.
>
>  > sha1 is not yet fully broken, but it is no longer trusted, and everyone
>  > is moving away from it. If upstream only provides sha1, we can carry it,
>  > but if upstream provides better hashes, then we should not _add_ sha1
>  > (but we can continue to update an existing one we already carry). While
>  > sha1 is still OK-ish to address accidental tampering (point 1) or
>  > non-malicious modifications (point 2, and even then), it is now
>  > useless to address malicious tampering (point 3).
>
>  > This is the point of view hashes should be looked at from.
>
>  > In this case, upstream provides two strong hashes, sha256 and sha512;
>  > adding md5 is totally useless, while adding sha1 is borderline useless.
>
>  > For the records:
>
>  >   - md5 [0] was introduced 1991, and the first security issues were
>  >     identified in 1993, and the first collisions reported in 1996.
>
>  >   - sha1 [1] was introduced in 1995, is considered weak since 2005 (15
>  >     years ago!), disallowed for signatures by NIST since 2013, and
>  >     chosen-prefix attacks are a thing since this year.
>
> This is all true, but generating a single rogue file with BOTH a md5 and
> sha1 collision and still being a valid compressed tarball is extremely
> unlikely, so I have no issues with listing them (together with a
> manually calculated sha256) if upstream doesn't provide sha256 or
> better.
>
> If upstream does provide sha256 or better then there indeed isn't much
> point in adding the older hashes as well.
>

Totally agree with the given arguments for omitting redundant hashes (and
always wondered why the docs suggested otherwise)...., time to update
the docs to reflect this?

Regards,
Peter

[Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46

[Peter Korsgaard]

>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:

 > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46
 > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html

 > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
 > https://httpd.apache.org/security/vulnerabilities_24.html

 > Added all hashes provided by upstream.

 > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>

Committed to 2020.02.x and 2020.05.x, thanks.

-- 
Bye, Peter Korsgaard