* [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 @ 2024-01-26 13:57 Peter Korsgaard 2024-01-27 20:23 ` Yann E. MORIN 0 siblings, 1 reply; 4+ messages in thread From: Peter Korsgaard @ 2024-01-26 13:57 UTC (permalink / raw) To: buildroot; +Cc: Eric Le Bihan Fixes the following security issues: CVE-2024-23770: Local Leak of Authentication Parameter in Process List CVE-2024-23771: Basic Auth Timing Attack https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html Notice that CVE-2024-23770 is only documented as a known weakness, not fixed. Also change the license logic to use the dedicated COPYING file available since 1.14: https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/darkhttpd/darkhttpd.hash | 4 ++-- package/darkhttpd/darkhttpd.mk | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash index 188afff767..84a787eeba 100644 --- a/package/darkhttpd/darkhttpd.hash +++ b/package/darkhttpd/darkhttpd.hash @@ -1,3 +1,3 @@ # Locally generated -sha256 e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195 darkhttpd-1.14.tar.gz -sha256 f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710 darkhttpd.c +sha256 ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9 darkhttpd-1.15.tar.gz +sha256 1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee COPYING diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk index bda08899b8..e13f8f7770 100644 --- a/package/darkhttpd/darkhttpd.mk +++ b/package/darkhttpd/darkhttpd.mk @@ -4,10 +4,10 @@ # ################################################################################ -DARKHTTPD_VERSION = 1.14 +DARKHTTPD_VERSION = 1.15 DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION)) -DARKHTTPD_LICENSE = MIT -DARKHTTPD_LICENSE_FILES = darkhttpd.c +DARKHTTPD_LICENSE = ISC +DARKHTTPD_LICENSE_FILES = COPYING DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project define DARKHTTPD_BUILD_CMDS -- 2.39.2 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 2024-01-26 13:57 [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 Peter Korsgaard @ 2024-01-27 20:23 ` Yann E. MORIN 2024-01-28 7:56 ` Peter Korsgaard 0 siblings, 1 reply; 4+ messages in thread From: Yann E. MORIN @ 2024-01-27 20:23 UTC (permalink / raw) To: Peter Korsgaard; +Cc: Eric Le Bihan, buildroot Peter, All, On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly: > Fixes the following security issues: > > CVE-2024-23770: Local Leak of Authentication Parameter in Process List > > CVE-2024-23771: Basic Auth Timing Attack > > https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html > > Notice that CVE-2024-23770 is only documented as a known weakness, not > fixed. > > Also change the license logic to use the dedicated COPYING file available > since 1.14: > > https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd > > This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. This means the licensing stuff should be backported to the maintenance branches, and should thus have been a separate patch prior to the version bump. But since this is a security fix, I guess you'll want to backport the version bump too. And since the odlest stable, 2023.02, already had darkhttpd 1.14, it is possibe to backport the version bump to all maintenance branches. Thus, I considered splitting, got slightly cat-distracted, and pushed without splitting. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/darkhttpd/darkhttpd.hash | 4 ++-- > package/darkhttpd/darkhttpd.mk | 6 +++--- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash > index 188afff767..84a787eeba 100644 > --- a/package/darkhttpd/darkhttpd.hash > +++ b/package/darkhttpd/darkhttpd.hash > @@ -1,3 +1,3 @@ > # Locally generated > -sha256 e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195 darkhttpd-1.14.tar.gz > -sha256 f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710 darkhttpd.c > +sha256 ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9 darkhttpd-1.15.tar.gz > +sha256 1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee COPYING > diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk > index bda08899b8..e13f8f7770 100644 > --- a/package/darkhttpd/darkhttpd.mk > +++ b/package/darkhttpd/darkhttpd.mk > @@ -4,10 +4,10 @@ > # > ################################################################################ > > -DARKHTTPD_VERSION = 1.14 > +DARKHTTPD_VERSION = 1.15 > DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION)) > -DARKHTTPD_LICENSE = MIT > -DARKHTTPD_LICENSE_FILES = darkhttpd.c > +DARKHTTPD_LICENSE = ISC > +DARKHTTPD_LICENSE_FILES = COPYING > DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project > > define DARKHTTPD_BUILD_CMDS > -- > 2.39.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 2024-01-27 20:23 ` Yann E. MORIN @ 2024-01-28 7:56 ` Peter Korsgaard 2024-02-28 16:43 ` Peter Korsgaard 0 siblings, 1 reply; 4+ messages in thread From: Peter Korsgaard @ 2024-01-28 7:56 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Eric Le Bihan, buildroot >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: > Peter, All, > On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly: >> Fixes the following security issues: >> >> CVE-2024-23770: Local Leak of Authentication Parameter in Process List >> >> CVE-2024-23771: Basic Auth Timing Attack >> >> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html >> >> Notice that CVE-2024-23770 is only documented as a known weakness, not >> fixed. >> >> Also change the license logic to use the dedicated COPYING file available >> since 1.14: >> >> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd >> >> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. > This means the licensing stuff should be backported to the maintenance > branches, and should thus have been a separate patch prior to the > version bump. > But since this is a security fix, I guess you'll want to backport the > version bump too. And since the odlest stable, 2023.02, already had > darkhttpd 1.14, it is possibe to backport the version bump to all > maintenance branches. > Thus, I considered splitting, got slightly cat-distracted, and pushed > without splitting. Hehe ;) That was indeed also the reason why I didn't do the effort to split it in multiple patches. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 2024-01-28 7:56 ` Peter Korsgaard @ 2024-02-28 16:43 ` Peter Korsgaard 0 siblings, 0 replies; 4+ messages in thread From: Peter Korsgaard @ 2024-02-28 16:43 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Eric Le Bihan, buildroot >>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: >> Peter, All, >> On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly: >>> Fixes the following security issues: >>> >>> CVE-2024-23770: Local Leak of Authentication Parameter in Process List >>> >>> CVE-2024-23771: Basic Auth Timing Attack >>> >>> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html >>> >>> Notice that CVE-2024-23770 is only documented as a known weakness, not >>> fixed. >>> >>> Also change the license logic to use the dedicated COPYING file available >>> since 1.14: >>> >>> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd >>> >>> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. >> This means the licensing stuff should be backported to the maintenance >> branches, and should thus have been a separate patch prior to the >> version bump. >> But since this is a security fix, I guess you'll want to backport the >> version bump too. And since the odlest stable, 2023.02, already had >> darkhttpd 1.14, it is possibe to backport the version bump to all >> maintenance branches. >> Thus, I considered splitting, got slightly cat-distracted, and pushed >> without splitting. > Hehe ;) That was indeed also the reason why I didn't do the effort to > split it in multiple patches. Committed to 2023.02.x and 2023.11.x, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-28 16:43 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-01-26 13:57 [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15 Peter Korsgaard 2024-01-27 20:23 ` Yann E. MORIN 2024-01-28 7:56 ` Peter Korsgaard 2024-02-28 16:43 ` Peter Korsgaard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox