[PATCH 0/1] uprev serf: 1.3.6 -> 1.3.8

[PATCH 0/1] uprev serf: 1.3.6 -> 1.3.8

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

Release changes:

Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
  Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
  Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
  Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.

Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
  Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)

The following changes since commit edaeb8940813b620090a0797ad3b6a076897512d:

  bitbake: cooker.py: fix loginfo op being set to an invalid value (2014-11-12 17:04:50 +0000)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib wenzong/serf
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/serf

Wenzong Fan (1):
  serf: 1.3.6 -> 1.3.8

 .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)

-- 
1.7.9.5

[PATCH 1/1] serf: 1.3.6 -> 1.3.8

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

Release changes:

Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
  Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
  Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
  Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.

Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
  Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)

diff --git a/meta/recipes-support/serf/serf_1.3.6.bb b/meta/recipes-support/serf/serf_1.3.8.bb
similarity index 74%
rename from meta/recipes-support/serf/serf_1.3.6.bb
rename to meta/recipes-support/serf/serf_1.3.8.bb
index 08b04d3..10db122 100644
--- a/meta/recipes-support/serf/serf_1.3.6.bb
+++ b/meta/recipes-support/serf/serf_1.3.8.bb
@@ -1,8 +1,8 @@
 
-SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-1.3.6.tar.bz2 \
+SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-${PV}.tar.bz2 \
            file://norpath.patch"
-SRC_URI[md5sum] = "7fe38fa6eab078e0beabf291d8e4995d"
-SRC_URI[sha256sum] = "ca637beb0399797d4fc7ffa85e801733cd9c876997fac4a4fd12e9afe86563f2"
+SRC_URI[md5sum] = "2e4efe57ff28cb3202a112e90f0c2889"
+SRC_URI[sha256sum] = "e0500be065dbbce490449837bb2ab624e46d64fc0b090474d9acaa87c82b2590"
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
-- 
1.7.9.5

Re: [PATCH 1/1] serf: 1.3.6 -> 1.3.8

[akuster]

Since Dizzy would need the security fix in serf 1.3.7, would  I backport 
1.3.8 to Dizzy from master or do we need a separate 1.3.7 update for Dizzy?

- Armin


On 11/17/2014 12:38 AM, wenzong.fan@windriver.com wrote:
> From: Wenzong Fan <wenzong.fan@windriver.com>
>
> Release changes:
>
> Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
>    Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
>    Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
>    Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
>
> Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
>    Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
>
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> ---
>   .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>   rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)
>
> diff --git a/meta/recipes-support/serf/serf_1.3.6.bb b/meta/recipes-support/serf/serf_1.3.8.bb
> similarity index 74%
> rename from meta/recipes-support/serf/serf_1.3.6.bb
> rename to meta/recipes-support/serf/serf_1.3.8.bb
> index 08b04d3..10db122 100644
> --- a/meta/recipes-support/serf/serf_1.3.6.bb
> +++ b/meta/recipes-support/serf/serf_1.3.8.bb
> @@ -1,8 +1,8 @@
>
> -SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-1.3.6.tar.bz2 \
> +SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-${PV}.tar.bz2 \
>              file://norpath.patch"
> -SRC_URI[md5sum] = "7fe38fa6eab078e0beabf291d8e4995d"
> -SRC_URI[sha256sum] = "ca637beb0399797d4fc7ffa85e801733cd9c876997fac4a4fd12e9afe86563f2"
> +SRC_URI[md5sum] = "2e4efe57ff28cb3202a112e90f0c2889"
> +SRC_URI[sha256sum] = "e0500be065dbbce490449837bb2ab624e46d64fc0b090474d9acaa87c82b2590"
>
>   LICENSE = "Apache-2.0"
>   LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
>

Re: [PATCH 1/1] serf: 1.3.6 -> 1.3.8

[Mark Hatle]

On 11/17/14, 9:43 AM, akuster wrote:
> Since Dizzy would need the security fix in serf 1.3.7, would  I backport
> 1.3.8 to Dizzy from master or do we need a separate 1.3.7 update for Dizzy?

Unless there is no way to backport, usual process is a separate 1.3.7 update for 
Dizzy.

--Mark

> - Armin
>
>
> On 11/17/2014 12:38 AM, wenzong.fan@windriver.com wrote:
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> Release changes:
>>
>> Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
>>     Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
>>     Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
>>     Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
>>
>> Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
>>     Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
>>
>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> ---
>>    .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
>>    1 file changed, 3 insertions(+), 3 deletions(-)
>>    rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)
>>
>> diff --git a/meta/recipes-support/serf/serf_1.3.6.bb b/meta/recipes-support/serf/serf_1.3.8.bb
>> similarity index 74%
>> rename from meta/recipes-support/serf/serf_1.3.6.bb
>> rename to meta/recipes-support/serf/serf_1.3.8.bb
>> index 08b04d3..10db122 100644
>> --- a/meta/recipes-support/serf/serf_1.3.6.bb
>> +++ b/meta/recipes-support/serf/serf_1.3.8.bb
>> @@ -1,8 +1,8 @@
>>
>> -SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-1.3.6.tar.bz2 \
>> +SRC_URI = "http://serf.googlecode.com/svn/src_releases/serf-${PV}.tar.bz2 \
>>               file://norpath.patch"
>> -SRC_URI[md5sum] = "7fe38fa6eab078e0beabf291d8e4995d"
>> -SRC_URI[sha256sum] = "ca637beb0399797d4fc7ffa85e801733cd9c876997fac4a4fd12e9afe86563f2"
>> +SRC_URI[md5sum] = "2e4efe57ff28cb3202a112e90f0c2889"
>> +SRC_URI[sha256sum] = "e0500be065dbbce490449837bb2ab624e46d64fc0b090474d9acaa87c82b2590"
>>
>>    LICENSE = "Apache-2.0"
>>    LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
>>

Re: [PATCH 0/1] uprev serf: 1.3.6 -> 1.3.8

[akuster]

Please add to the 1.3.7 the security fix

- CVE-2014-3504: (Closes: #757965)

On 11/17/2014 12:38 AM, wenzong.fan@windriver.com wrote:
> From: Wenzong Fan <wenzong.fan@windriver.com>
>
> Release changes:
>
> Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
>    Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
>    Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
>    Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
>
> Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
>    Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
>
> The following changes since commit edaeb8940813b620090a0797ad3b6a076897512d:
>
>    bitbake: cooker.py: fix loginfo op being set to an invalid value (2014-11-12 17:04:50 +0000)
>
> are available in the git repository at:
>
>    git://git.pokylinux.org/poky-contrib wenzong/serf
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/serf
>
> Wenzong Fan (1):
>    serf: 1.3.6 -> 1.3.8
>
>   .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>   rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)
>

Re: [PATCH 0/1] uprev serf: 1.3.6 -> 1.3.8

[wenzong fan]

On 11/17/2014 11:35 PM, akuster wrote:
> Please add to the 1.3.7 the security fix
>
> - CVE-2014-3504: (Closes: #757965)

Ok, I have added this comment and updated the contrib branch.

Thanks
Wenzong

>
> On 11/17/2014 12:38 AM, wenzong.fan@windriver.com wrote:
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> Release changes:
>>
>> Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
>>    Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
>>    Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
>>    Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
>>
>> Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
>>    Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
>>
>> The following changes since commit
>> edaeb8940813b620090a0797ad3b6a076897512d:
>>
>>    bitbake: cooker.py: fix loginfo op being set to an invalid value
>> (2014-11-12 17:04:50 +0000)
>>
>> are available in the git repository at:
>>
>>    git://git.pokylinux.org/poky-contrib wenzong/serf
>>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/serf
>>
>> Wenzong Fan (1):
>>    serf: 1.3.6 -> 1.3.8
>>
>>   .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>   rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)
>>
>

Re: [PATCH 0/1] uprev serf: 1.3.6 -> 1.3.8

[wenzong fan]

As https://subversion.apache.org/security/CVE-2014-3522-advisory.txt 
mentioned:

   We recommend all users to upgrade to Subversion 1.8.10.  Users of
   Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
   included patch.  We also recommend that all users upgrade to Serf 1.3.7
   or newer to resolve CVE-2014-3504.

The subversion has been 1.8.10 on master and we only need to uprev serf now.

Akuster,

I wonder how would you like to process this on Dizzy?

Uprev subversion or just apply related CVE fixes, I did think the serf 
should be uprev-ed.

Thanks
Wenzong

On 11/17/2014 11:35 PM, akuster wrote:
> Please add to the 1.3.7 the security fix
>
> - CVE-2014-3504: (Closes: #757965)
>
> On 11/17/2014 12:38 AM, wenzong.fan@windriver.com wrote:
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> Release changes:
>>
>> Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
>>    Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
>>    Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
>>    Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
>>
>> Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
>>    Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
>>
>> The following changes since commit
>> edaeb8940813b620090a0797ad3b6a076897512d:
>>
>>    bitbake: cooker.py: fix loginfo op being set to an invalid value
>> (2014-11-12 17:04:50 +0000)
>>
>> are available in the git repository at:
>>
>>    git://git.pokylinux.org/poky-contrib wenzong/serf
>>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/serf
>>
>> Wenzong Fan (1):
>>    serf: 1.3.6 -> 1.3.8
>>
>>   .../serf/{serf_1.3.6.bb => serf_1.3.8.bb}          |    6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>   rename meta/recipes-support/serf/{serf_1.3.6.bb => serf_1.3.8.bb} (74%)
>>
>