* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 @ 2020-08-07 17:11 Bernd Kuhls 2020-08-07 19:26 ` Yann E. MORIN 2020-08-28 15:04 ` Peter Korsgaard 0 siblings, 2 replies; 7+ messages in thread From: Bernd Kuhls @ 2020-08-07 17:11 UTC (permalink / raw) To: buildroot Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46 Release notes: https://downloads.apache.org/httpd/Announcement2.4.html Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993: https://httpd.apache.org/security/vulnerabilities_24.html Added all hashes provided by upstream. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- package/apache/apache.hash | 10 ++++++++-- package/apache/apache.mk | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/package/apache/apache.hash b/package/apache/apache.hash index 7b0e4ad8e7..4fe457d701 100644 --- a/package/apache/apache.hash +++ b/package/apache/apache.hash @@ -1,4 +1,10 @@ -# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256 -sha256 a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 httpd-2.4.43.tar.bz2 +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.md5 +md5 7d661ea5e736dac5e2761d9f49fe8361 httpd-2.4.46.tar.bz2 +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha1 +sha1 1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb httpd-2.4.46.tar.bz2 +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha256 +sha256 740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea httpd-2.4.46.tar.bz2 +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha512 +sha512 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2 # Locally computed sha256 47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43 LICENSE diff --git a/package/apache/apache.mk b/package/apache/apache.mk index 068f36e325..203d637fbb 100644 --- a/package/apache/apache.mk +++ b/package/apache/apache.mk @@ -4,7 +4,7 @@ # ################################################################################ -APACHE_VERSION = 2.4.43 +APACHE_VERSION = 2.4.46 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2 APACHE_SITE = http://archive.apache.org/dist/httpd APACHE_LICENSE = Apache-2.0 -- 2.27.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 2020-08-07 17:11 [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 Bernd Kuhls @ 2020-08-07 19:26 ` Yann E. MORIN 2020-08-07 20:56 ` Peter Seiderer 2020-08-28 15:04 ` Peter Korsgaard 1 sibling, 1 reply; 7+ messages in thread From: Yann E. MORIN @ 2020-08-07 19:26 UTC (permalink / raw) To: buildroot Bernd, All, On 2020-08-07 19:11 +0200, Bernd Kuhls spake thusly: > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46 > > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html > > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993: > https://httpd.apache.org/security/vulnerabilities_24.html > > Added all hashes provided by upstream. md5 and sha1 are broken nowadays, so adding them is not interesting at all, when there are better hashes available, which is the case here. So I've dropped md5 and sha1, and used a single comment to refer to both upstream locations. Applied to master, thanks. > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> > --- > package/apache/apache.hash | 10 ++++++++-- > package/apache/apache.mk | 2 +- > 2 files changed, 9 insertions(+), 3 deletions(-) > > diff --git a/package/apache/apache.hash b/package/apache/apache.hash > index 7b0e4ad8e7..4fe457d701 100644 > --- a/package/apache/apache.hash > +++ b/package/apache/apache.hash > @@ -1,4 +1,10 @@ > -# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256 > -sha256 a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 httpd-2.4.43.tar.bz2 > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.md5 > +md5 7d661ea5e736dac5e2761d9f49fe8361 httpd-2.4.46.tar.bz2 > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha1 > +sha1 1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb httpd-2.4.46.tar.bz2 > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha256 > +sha256 740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea httpd-2.4.46.tar.bz2 > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha512 > +sha512 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2 > # Locally computed > sha256 47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43 LICENSE > diff --git a/package/apache/apache.mk b/package/apache/apache.mk > index 068f36e325..203d637fbb 100644 > --- a/package/apache/apache.mk > +++ b/package/apache/apache.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -APACHE_VERSION = 2.4.43 > +APACHE_VERSION = 2.4.46 > APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2 > APACHE_SITE = http://archive.apache.org/dist/httpd > APACHE_LICENSE = Apache-2.0 > -- > 2.27.0 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 2020-08-07 19:26 ` Yann E. MORIN @ 2020-08-07 20:56 ` Peter Seiderer 2020-08-08 12:23 ` Yann E. MORIN 0 siblings, 1 reply; 7+ messages in thread From: Peter Seiderer @ 2020-08-07 20:56 UTC (permalink / raw) To: buildroot Hello Yann, *, On Fri, 7 Aug 2020 21:26:57 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > Bernd, All, > > On 2020-08-07 19:11 +0200, Bernd Kuhls spake thusly: > > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46 > > > > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html > > > > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993: > > https://httpd.apache.org/security/vulnerabilities_24.html > > > > Added all hashes provided by upstream. > > md5 and sha1 are broken nowadays, so adding them is not interesting at > all, when there are better hashes available, which is the case here. If this handling is the new rule, then it is time to update the docs stating 'If upstream provides more than one type of hash (e.g. sha1 and sha512), then it is best to add all those hashes in the .hash file.'? Regards, Peter > > So I've dropped md5 and sha1, and used a single comment to refer to both > upstream locations. > > Applied to master, thanks. > > > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> > > --- > > package/apache/apache.hash | 10 ++++++++-- > > package/apache/apache.mk | 2 +- > > 2 files changed, 9 insertions(+), 3 deletions(-) > > > > diff --git a/package/apache/apache.hash b/package/apache/apache.hash > > index 7b0e4ad8e7..4fe457d701 100644 > > --- a/package/apache/apache.hash > > +++ b/package/apache/apache.hash > > @@ -1,4 +1,10 @@ > > -# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256 > > -sha256 a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 httpd-2.4.43.tar.bz2 > > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.md5 > > +md5 7d661ea5e736dac5e2761d9f49fe8361 httpd-2.4.46.tar.bz2 > > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha1 > > +sha1 1b7cd10ff3a2a07a576d77e34f0204d95fa4aceb httpd-2.4.46.tar.bz2 > > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha256 > > +sha256 740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea httpd-2.4.46.tar.bz2 > > +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.sha512 > > +sha512 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2 > > # Locally computed > > sha256 47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43 LICENSE > > diff --git a/package/apache/apache.mk b/package/apache/apache.mk > > index 068f36e325..203d637fbb 100644 > > --- a/package/apache/apache.mk > > +++ b/package/apache/apache.mk > > @@ -4,7 +4,7 @@ > > # > > ################################################################################ > > > > -APACHE_VERSION = 2.4.43 > > +APACHE_VERSION = 2.4.46 > > APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2 > > APACHE_SITE = http://archive.apache.org/dist/httpd > > APACHE_LICENSE = Apache-2.0 > > -- > > 2.27.0 > > > > _______________________________________________ > > buildroot mailing list > > buildroot at busybox.net > > http://lists.busybox.net/mailman/listinfo/buildroot > ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 2020-08-07 20:56 ` Peter Seiderer @ 2020-08-08 12:23 ` Yann E. MORIN 2020-08-08 21:12 ` Peter Korsgaard 0 siblings, 1 reply; 7+ messages in thread From: Yann E. MORIN @ 2020-08-08 12:23 UTC (permalink / raw) To: buildroot Peter, All, On 2020-08-07 22:56 +0200, Peter Seiderer spake thusly: > On Fri, 7 Aug 2020 21:26:57 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > > On 2020-08-07 19:11 +0200, Bernd Kuhls spake thusly: > > > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46 > > > > > > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html > > > > > > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993: > > > https://httpd.apache.org/security/vulnerabilities_24.html > > > > > > Added all hashes provided by upstream. > > > > md5 and sha1 are broken nowadays, so adding them is not interesting at > > all, when there are better hashes available, which is the case here. > > If this handling is the new rule, then it is time to update the docs > stating 'If upstream provides more than one type of hash (e.g. sha1 and sha512), > then it is best to add all those hashes in the .hash file.'? I wrote that more than 6 years ago now. ;-) Things have changed since then. The hashes are there to guarantee that the archives have not be tampered with, so that we know that: 1. there was no technical issue downloading the archive (e.g. partial download, proxy playing tricks, etc...), 2. upstream did not re-release the same version with a different content, so that we know our patches would or would not apply for example, 3. the source code has not been tampered with, so that no ill source code has been injected (either in-transit, or if upstream got compromised). md5 is broken, there is no point in using it. If that's the only thing upstream provides, we can carry it, but if upstream provides better hashes, md5 brings nothing to address the above, especially point 3. sha1 is not yet fully broken, but it is no longer trusted, and everyone is moving away from it. If upstream only provides sha1, we can carry it, but if upstream provides better hashes, then we should not _add_ sha1 (but we can continue to update an existing one we already carry). While sha1 is still OK-ish to address accidental tampering (point 1) or non-malicious modifications (point 2, and even then), it is now useless to address malicious tampering (point 3). This is the point of view hashes should be looked at from. In this case, upstream provides two strong hashes, sha256 and sha512; adding md5 is totally useless, while adding sha1 is borderline useless. For the records: - md5 [0] was introduced 1991, and the first security issues were identified in 1993, and the first collisions reported in 1996. - sha1 [1] was introduced in 1995, is considered weak since 2005 (15 years ago!), disallowed for signatures by NIST since 2013, and chosen-prefix attacks are a thing since this year. [0] https://en.wikipedia.org/wiki/MD5 [1] https://en.wikipedia.org/wiki/SHA-1 Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 2020-08-08 12:23 ` Yann E. MORIN @ 2020-08-08 21:12 ` Peter Korsgaard 2020-08-11 21:31 ` Peter Seiderer 0 siblings, 1 reply; 7+ messages in thread From: Peter Korsgaard @ 2020-08-08 21:12 UTC (permalink / raw) To: buildroot >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: Hi, > The hashes are there to guarantee that the archives have not be tampered > with, so that we know that: > 1. there was no technical issue downloading the archive (e.g. partial > download, proxy playing tricks, etc...), > 2. upstream did not re-release the same version with a different > content, so that we know our patches would or would not apply for > example, > 3. the source code has not been tampered with, so that no ill source > code has been injected (either in-transit, or if upstream got > compromised). > md5 is broken, there is no point in using it. If that's the only thing > upstream provides, we can carry it, but if upstream provides better > hashes, md5 brings nothing to address the above, especially point 3. > sha1 is not yet fully broken, but it is no longer trusted, and everyone > is moving away from it. If upstream only provides sha1, we can carry it, > but if upstream provides better hashes, then we should not _add_ sha1 > (but we can continue to update an existing one we already carry). While > sha1 is still OK-ish to address accidental tampering (point 1) or > non-malicious modifications (point 2, and even then), it is now > useless to address malicious tampering (point 3). > This is the point of view hashes should be looked at from. > In this case, upstream provides two strong hashes, sha256 and sha512; > adding md5 is totally useless, while adding sha1 is borderline useless. > For the records: > - md5 [0] was introduced 1991, and the first security issues were > identified in 1993, and the first collisions reported in 1996. > - sha1 [1] was introduced in 1995, is considered weak since 2005 (15 > years ago!), disallowed for signatures by NIST since 2013, and > chosen-prefix attacks are a thing since this year. This is all true, but generating a single rogue file with BOTH a md5 and sha1 collision and still being a valid compressed tarball is extremely unlikely, so I have no issues with listing them (together with a manually calculated sha256) if upstream doesn't provide sha256 or better. If upstream does provide sha256 or better then there indeed isn't much point in adding the older hashes as well. -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 2020-08-08 21:12 ` Peter Korsgaard @ 2020-08-11 21:31 ` Peter Seiderer 0 siblings, 0 replies; 7+ messages in thread From: Peter Seiderer @ 2020-08-11 21:31 UTC (permalink / raw) To: buildroot Hello Yann, Peter, On Sat, 08 Aug 2020 23:12:06 +0200, Peter Korsgaard <peter@korsgaard.com> wrote: > >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: > > Hi, > > > The hashes are there to guarantee that the archives have not be tampered > > with, so that we know that: > > > 1. there was no technical issue downloading the archive (e.g. partial > > download, proxy playing tricks, etc...), > > > 2. upstream did not re-release the same version with a different > > content, so that we know our patches would or would not apply for > > example, > > > 3. the source code has not been tampered with, so that no ill source > > code has been injected (either in-transit, or if upstream got > > compromised). > > > md5 is broken, there is no point in using it. If that's the only thing > > upstream provides, we can carry it, but if upstream provides better > > hashes, md5 brings nothing to address the above, especially point 3. > > > sha1 is not yet fully broken, but it is no longer trusted, and everyone > > is moving away from it. If upstream only provides sha1, we can carry it, > > but if upstream provides better hashes, then we should not _add_ sha1 > > (but we can continue to update an existing one we already carry). While > > sha1 is still OK-ish to address accidental tampering (point 1) or > > non-malicious modifications (point 2, and even then), it is now > > useless to address malicious tampering (point 3). > > > This is the point of view hashes should be looked at from. > > > In this case, upstream provides two strong hashes, sha256 and sha512; > > adding md5 is totally useless, while adding sha1 is borderline useless. > > > For the records: > > > - md5 [0] was introduced 1991, and the first security issues were > > identified in 1993, and the first collisions reported in 1996. > > > - sha1 [1] was introduced in 1995, is considered weak since 2005 (15 > > years ago!), disallowed for signatures by NIST since 2013, and > > chosen-prefix attacks are a thing since this year. > > This is all true, but generating a single rogue file with BOTH a md5 and > sha1 collision and still being a valid compressed tarball is extremely > unlikely, so I have no issues with listing them (together with a > manually calculated sha256) if upstream doesn't provide sha256 or > better. > > If upstream does provide sha256 or better then there indeed isn't much > point in adding the older hashes as well. > Totally agree with the given arguments for omitting redundant hashes (and always wondered why the docs suggested otherwise)...., time to update the docs to reflect this? Regards, Peter ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 2020-08-07 17:11 [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 Bernd Kuhls 2020-08-07 19:26 ` Yann E. MORIN @ 2020-08-28 15:04 ` Peter Korsgaard 1 sibling, 0 replies; 7+ messages in thread From: Peter Korsgaard @ 2020-08-28 15:04 UTC (permalink / raw) To: buildroot >>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes: > Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46 > Release notes: https://downloads.apache.org/httpd/Announcement2.4.html > Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993: > https://httpd.apache.org/security/vulnerabilities_24.html > Added all hashes provided by upstream. > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Committed to 2020.02.x and 2020.05.x, thanks. -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-08-28 15:04 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-08-07 17:11 [Buildroot] [PATCH 1/1] package/apache: security bump version to 2.4.46 Bernd Kuhls 2020-08-07 19:26 ` Yann E. MORIN 2020-08-07 20:56 ` Peter Seiderer 2020-08-08 12:23 ` Yann E. MORIN 2020-08-08 21:12 ` Peter Korsgaard 2020-08-11 21:31 ` Peter Seiderer 2020-08-28 15:04 ` Peter Korsgaard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox