Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/darkhttpd: security bump to version 1.15
Date: Sat, 27 Jan 2024 21:23:43 +0100	[thread overview]
Message-ID: <ZbVmT0V0pDW6IegC@landeda> (raw)
In-Reply-To: <20240126135747.2407552-1-peter@korsgaard.com>

Peter, All,

On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> CVE-2024-23770: Local Leak of Authentication Parameter in Process List
> 
> CVE-2024-23771: Basic Auth Timing Attack
> 
> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html
> 
> Notice that CVE-2024-23770 is only documented as a known weakness, not
> fixed.
> 
> Also change the license logic to use the dedicated COPYING file available
> since 1.14:
> 
> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd
> 
> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match.

This means the licensing stuff should be backported to the maintenance
branches, and should thus have been a separate patch prior to the
version bump.

But since this is a security fix, I guess you'll want to backport the
version bump too. And since the odlest stable, 2023.02, already had
darkhttpd 1.14, it is possibe to backport the version bump to all
maintenance branches.

Thus, I considered splitting, got slightly cat-distracted, and pushed
without splitting.

> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/darkhttpd/darkhttpd.hash | 4 ++--
>  package/darkhttpd/darkhttpd.mk   | 6 +++---
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash
> index 188afff767..84a787eeba 100644
> --- a/package/darkhttpd/darkhttpd.hash
> +++ b/package/darkhttpd/darkhttpd.hash
> @@ -1,3 +1,3 @@
>  # Locally generated
> -sha256  e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195  darkhttpd-1.14.tar.gz
> -sha256  f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710  darkhttpd.c
> +sha256  ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9  darkhttpd-1.15.tar.gz
> +sha256  1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee  COPYING
> diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk
> index bda08899b8..e13f8f7770 100644
> --- a/package/darkhttpd/darkhttpd.mk
> +++ b/package/darkhttpd/darkhttpd.mk
> @@ -4,10 +4,10 @@
>  #
>  ################################################################################
>  
> -DARKHTTPD_VERSION = 1.14
> +DARKHTTPD_VERSION = 1.15
>  DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION))
> -DARKHTTPD_LICENSE = MIT
> -DARKHTTPD_LICENSE_FILES = darkhttpd.c
> +DARKHTTPD_LICENSE = ISC
> +DARKHTTPD_LICENSE_FILES = COPYING
>  DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project
>  
>  define DARKHTTPD_BUILD_CMDS
> -- 
> 2.39.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot