* [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15
@ 2024-01-26 13:57 Peter Korsgaard
2024-01-27 20:23 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2024-01-26 13:57 UTC (permalink / raw)
To: buildroot; +Cc: Eric Le Bihan
Fixes the following security issues:
CVE-2024-23770: Local Leak of Authentication Parameter in Process List
CVE-2024-23771: Basic Auth Timing Attack
https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html
Notice that CVE-2024-23770 is only documented as a known weakness, not
fixed.
Also change the license logic to use the dedicated COPYING file available
since 1.14:
https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd
This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/darkhttpd/darkhttpd.hash | 4 ++--
package/darkhttpd/darkhttpd.mk | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash
index 188afff767..84a787eeba 100644
--- a/package/darkhttpd/darkhttpd.hash
+++ b/package/darkhttpd/darkhttpd.hash
@@ -1,3 +1,3 @@
# Locally generated
-sha256 e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195 darkhttpd-1.14.tar.gz
-sha256 f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710 darkhttpd.c
+sha256 ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9 darkhttpd-1.15.tar.gz
+sha256 1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee COPYING
diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk
index bda08899b8..e13f8f7770 100644
--- a/package/darkhttpd/darkhttpd.mk
+++ b/package/darkhttpd/darkhttpd.mk
@@ -4,10 +4,10 @@
#
################################################################################
-DARKHTTPD_VERSION = 1.14
+DARKHTTPD_VERSION = 1.15
DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION))
-DARKHTTPD_LICENSE = MIT
-DARKHTTPD_LICENSE_FILES = darkhttpd.c
+DARKHTTPD_LICENSE = ISC
+DARKHTTPD_LICENSE_FILES = COPYING
DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project
define DARKHTTPD_BUILD_CMDS
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15
2024-01-26 13:57 [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 Peter Korsgaard
@ 2024-01-27 20:23 ` Yann E. MORIN
2024-01-28 7:56 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2024-01-27 20:23 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Eric Le Bihan, buildroot
Peter, All,
On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly:
> Fixes the following security issues:
>
> CVE-2024-23770: Local Leak of Authentication Parameter in Process List
>
> CVE-2024-23771: Basic Auth Timing Attack
>
> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html
>
> Notice that CVE-2024-23770 is only documented as a known weakness, not
> fixed.
>
> Also change the license logic to use the dedicated COPYING file available
> since 1.14:
>
> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd
>
> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match.
This means the licensing stuff should be backported to the maintenance
branches, and should thus have been a separate patch prior to the
version bump.
But since this is a security fix, I guess you'll want to backport the
version bump too. And since the odlest stable, 2023.02, already had
darkhttpd 1.14, it is possibe to backport the version bump to all
maintenance branches.
Thus, I considered splitting, got slightly cat-distracted, and pushed
without splitting.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/darkhttpd/darkhttpd.hash | 4 ++--
> package/darkhttpd/darkhttpd.mk | 6 +++---
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash
> index 188afff767..84a787eeba 100644
> --- a/package/darkhttpd/darkhttpd.hash
> +++ b/package/darkhttpd/darkhttpd.hash
> @@ -1,3 +1,3 @@
> # Locally generated
> -sha256 e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195 darkhttpd-1.14.tar.gz
> -sha256 f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710 darkhttpd.c
> +sha256 ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9 darkhttpd-1.15.tar.gz
> +sha256 1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee COPYING
> diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk
> index bda08899b8..e13f8f7770 100644
> --- a/package/darkhttpd/darkhttpd.mk
> +++ b/package/darkhttpd/darkhttpd.mk
> @@ -4,10 +4,10 @@
> #
> ################################################################################
>
> -DARKHTTPD_VERSION = 1.14
> +DARKHTTPD_VERSION = 1.15
> DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION))
> -DARKHTTPD_LICENSE = MIT
> -DARKHTTPD_LICENSE_FILES = darkhttpd.c
> +DARKHTTPD_LICENSE = ISC
> +DARKHTTPD_LICENSE_FILES = COPYING
> DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project
>
> define DARKHTTPD_BUILD_CMDS
> --
> 2.39.2
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15
2024-01-27 20:23 ` Yann E. MORIN
@ 2024-01-28 7:56 ` Peter Korsgaard
2024-02-28 16:43 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2024-01-28 7:56 UTC (permalink / raw)
To: Yann E. MORIN; +Cc: Eric Le Bihan, buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Peter, All,
> On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly:
>> Fixes the following security issues:
>>
>> CVE-2024-23770: Local Leak of Authentication Parameter in Process List
>>
>> CVE-2024-23771: Basic Auth Timing Attack
>>
>> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html
>>
>> Notice that CVE-2024-23770 is only documented as a known weakness, not
>> fixed.
>>
>> Also change the license logic to use the dedicated COPYING file available
>> since 1.14:
>>
>> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd
>>
>> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match.
> This means the licensing stuff should be backported to the maintenance
> branches, and should thus have been a separate patch prior to the
> version bump.
> But since this is a security fix, I guess you'll want to backport the
> version bump too. And since the odlest stable, 2023.02, already had
> darkhttpd 1.14, it is possibe to backport the version bump to all
> maintenance branches.
> Thus, I considered splitting, got slightly cat-distracted, and pushed
> without splitting.
Hehe ;) That was indeed also the reason why I didn't do the effort to
split it in multiple patches.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15
2024-01-28 7:56 ` Peter Korsgaard
@ 2024-02-28 16:43 ` Peter Korsgaard
0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2024-02-28 16:43 UTC (permalink / raw)
To: Yann E. MORIN; +Cc: Eric Le Bihan, buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>> Peter, All,
>> On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly:
>>> Fixes the following security issues:
>>>
>>> CVE-2024-23770: Local Leak of Authentication Parameter in Process List
>>>
>>> CVE-2024-23771: Basic Auth Timing Attack
>>>
>>> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html
>>>
>>> Notice that CVE-2024-23770 is only documented as a known weakness, not
>>> fixed.
>>>
>>> Also change the license logic to use the dedicated COPYING file available
>>> since 1.14:
>>>
>>> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd
>>>
>>> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match.
>> This means the licensing stuff should be backported to the maintenance
>> branches, and should thus have been a separate patch prior to the
>> version bump.
>> But since this is a security fix, I guess you'll want to backport the
>> version bump too. And since the odlest stable, 2023.02, already had
>> darkhttpd 1.14, it is possibe to backport the version bump to all
>> maintenance branches.
>> Thus, I considered splitting, got slightly cat-distracted, and pushed
>> without splitting.
> Hehe ;) That was indeed also the reason why I didn't do the effort to
> split it in multiple patches.
Committed to 2023.02.x and 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-28 16:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-26 13:57 [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 Peter Korsgaard
2024-01-27 20:23 ` Yann E. MORIN
2024-01-28 7:56 ` Peter Korsgaard
2024-02-28 16:43 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox