apache: upgrade to 2.4.16

2.4.16 includes fixes for CVE-2015-3185, CVE-2015-0253 and CVE-2015-3183 remove a backport patch 0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Roy Li <rongqing.li@windriver.com> 2015-08-07 14:07:49 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2015-08-24 13:54:02 +0200
commit: fe0833e87e853024c9162fae17cbaf2fbfc6a53f (patch)
tree: 7d635c56d8c0e16c0c2da46943f9f56692107eef /meta-webserver
parent: ae8dc15ef65396cb37df124ec9fb0e3e7a5caf39 (diff)
download: meta-openembedded-fe0833e87e853024c9162fae17cbaf2fbfc6a53f.tar.gz
3 files changed, 4 insertions, 63 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb
index 1704bd927..59109dd1c 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb
@@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
 S = "${WORKDIR}/httpd-${PV}"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
-SRC_URI[md5sum] = "b8dc8367a57a8d548a9b4ce16d264a13"
+SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"
-SRC_URI[sha256sum] = "ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4"
+SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"
 EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
                --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch
deleted file mode 100644
index 264fde710..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
-From: Eric Covener <covener@apache.org>
-Date: Wed, 4 Feb 2015 14:44:23 +0000
-Subject: [PATCH]   *) SECURITY: CVE-2015-0228 (cve.mitre.org)      mod_lua: A
- maliciously crafted websockets PING after a script      calls r:wsupgrade()
- can cause a child process crash.      [Edward Lu <Chaosed0 gmail.com>]
-Upstream-Status: BackPort
-Discovered by Guido Vranken <guidovranken gmail.com>
-Submitted by: Edward Lu
-Committed by: covener
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
- modules/lua/lua_request.c | 6 +++++-
- 2 files changed, 10 insertions(+), 1 deletion(-)
-diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
-index dded599..1200c55 100644
--- a/modules/lua/lua_request.c
-+++ b/modules/lua/lua_request.c
-@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
- {
-     apr_socket_t *sock;
-     apr_status_t rv;
-+    int do_read = 1;
-     int n = 0;
-     apr_size_t len = 1;
-     apr_size_t plen = 0;
-@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
-     mask_bytes = apr_pcalloc(r->pool, 4);
-     sock = ap_get_conn_socket(r->connection);
- 
-+    while (do_read) { 
-+    do_read = 0;
-     /* Get opcode and FIN bit */
-     if (plaintext) {
-         rv = apr_socket_recv(sock, &byte, &len);
-@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
-                 frame[0] = 0x8A;
-                 frame[1] = 0;
-                 apr_socket_send(sock, frame, &plen); /* Pong! */
-                lua_websocket_read(L); /* read the next frame instead */
-+                do_read = 1;
-             }
-         }
-     }
-+    }
-     return 0;
- }
- 
-- 
-1.9.1
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb
index 7306e8826..a44babdc6 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb
@@ -21,12 +21,11 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
           file://init \
           file://apache2-volatile.conf \
           file://apache2.service \
-           file://0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch \
          "
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
-SRC_URI[md5sum] = "b8dc8367a57a8d548a9b4ce16d264a13"
+SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"
-SRC_URI[sha256sum] = "ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4"
+SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"
 S = "${WORKDIR}/httpd-${PV}"
author	Roy Li <rongqing.li@windriver.com>	2015-08-07 14:07:49 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2015-08-24 13:54:02 +0200
commit	fe0833e87e853024c9162fae17cbaf2fbfc6a53f (patch)
tree	7d635c56d8c0e16c0c2da46943f9f56692107eef /meta-webserver
parent	ae8dc15ef65396cb37df124ec9fb0e3e7a5caf39 (diff)
download	meta-openembedded-fe0833e87e853024c9162fae17cbaf2fbfc6a53f.tar.gz

diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb index 1704bd927..59109dd1c 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.16.bb
@@ -15,8 +15,8 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
15	S = "${WORKDIR}/httpd-${PV}"	15	S = "${WORKDIR}/httpd-${PV}"
16		16
17	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"	17	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
18	SRC_URI[md5sum] = "b8dc8367a57a8d548a9b4ce16d264a13"	18	SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"
19	SRC_URI[sha256sum] = "ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4"	19	SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"
20		20
21	EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \	21	EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
22	--with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \	22	--with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \


diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch deleted file mode 100644 index 264fde710..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch +++ /dev/null
@@ -1,58 +0,0 @@
1	From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
2	From: Eric Covener <covener@apache.org>
3	Date: Wed, 4 Feb 2015 14:44:23 +0000
4	Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A
5	maliciously crafted websockets PING after a script calls r:wsupgrade()
6	can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>]
7
8	Upstream-Status: BackPort
9
10	Discovered by Guido Vranken <guidovranken gmail.com>
11
12	Submitted by: Edward Lu
13	Committed by: covener
14
15	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
16
17	Signed-off-by: Roy Li <rongqing.li@windriver.com>
18	---
19	modules/lua/lua_request.c \| 6 +++++-
20	2 files changed, 10 insertions(+), 1 deletion(-)
21
22	diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
23	index dded599..1200c55 100644
24	--- a/modules/lua/lua_request.c
25	+++ b/modules/lua/lua_request.c
26	@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
27	{
28	apr_socket_t *sock;
29	apr_status_t rv;
30	+ int do_read = 1;
31	int n = 0;
32	apr_size_t len = 1;
33	apr_size_t plen = 0;
34	@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
35	mask_bytes = apr_pcalloc(r->pool, 4);
36	sock = ap_get_conn_socket(r->connection);
37
38	+ while (do_read) {
39	+ do_read = 0;
40	/* Get opcode and FIN bit */
41	if (plaintext) {
42	rv = apr_socket_recv(sock, &byte, &len);
43	@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
44	frame[0] = 0x8A;
45	frame[1] = 0;
46	apr_socket_send(sock, frame, &plen); /* Pong! */
47	- lua_websocket_read(L); /* read the next frame instead */
48	+ do_read = 1;
49	}
50	}
51	}
52	+ }
53	return 0;
54	}
55
56	--
57	1.9.1
58


diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb index 7306e8826..a44babdc6 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.16.bb
@@ -21,12 +21,11 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
21	file://init \	21	file://init \
22	file://apache2-volatile.conf \	22	file://apache2-volatile.conf \
23	file://apache2.service \	23	file://apache2.service \
24	file://0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch \
25	"	24	"
26		25
27	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"	26	LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
28	SRC_URI[md5sum] = "b8dc8367a57a8d548a9b4ce16d264a13"	27	SRC_URI[md5sum] = "2b19cd338fd526dd5a63c57b1e9bfee2"
29	SRC_URI[sha256sum] = "ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4"	28	SRC_URI[sha256sum] = "ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743"
30		29
31	S = "${WORKDIR}/httpd-${PV}"	30	S = "${WORKDIR}/httpd-${PV}"
32		31