diff options
author | wangmy <wangmy@fujitsu.com> | 2022-01-25 08:11:34 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-01-26 06:27:00 +0000 |
commit | 866774f404fac7a235b2b8e94baa0769d1a964d3 (patch) | |
tree | 6162dd7e41a45ecba726cc6df791de6c0cc76296 /meta/recipes-extended/lighttpd | |
parent | 8cafe952706adc6fac54fda071c23ab2cf6b6a93 (diff) | |
download | poky-866774f404fac7a235b2b8e94baa0769d1a964d3.tar.gz |
lighttpd: upgrade 1.4.63 -> 1.4.64
0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
removed since it's included in 1.4.64.
with_gdbm, with_memcached
removed since they're not applicable in 1.4.64.
Changelog:
=========
Important changes
remove deprecated modules, bugfixes, CVE-2022-22707 (rare configs)
Behavior Changes
(previously announced and scheduled)
-graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds
configure an alternative with:
server.feature-flags += ("server.graceful-shutdown-timeout" => 8)
build: lighttpd defaults to -with-pcre2 instead of -with-pcre
pcre2 is current. pcre is no longer maintained.
Explicitly specify -with-pcre in build to use pcre instead of pcre2.
-deprecated modules (previously announced) have been removed
mod_authn_mysql
mod_mysql_vhost
mod_cml
mod_flv_streaming
mod_geoip
mod_trigger_b4_dl
https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated
suggests migration steps for replacements, if needed
Changes from 1.4.63
[core] fix trace issued for loading mod_auth (fixes #3121)
[meson] need -lrt with glibc < 2.17 (fixes #3120)
[core] adjust time jump detection (fixes #3123)
[core] make setrlimit() warn, not fatal
[core] add remote IP to some error msgs (fixes #3122)
[mod_webdav] If-None-Match on non-existent entity
[build] check getxattr before attr_get and -lattr
[doc] SELinux: setsebool -P httpd_setrlimit on
[build] create sha512sum file with release
[build] CI builds now use make -j 2
[core] http_response_send_file() takes const path
[core] use ETag response header to check cachable
[core] add more const to stat_cache_update_entry()
[multiple] remove r->physical.etag
[mod_magnet] interface to http_response_send_file
[build] add headers for sendfile() detect on MacOS
[core] http_response_write_prepare optimization
[core] define static_assert for uClibc (fixes #3127)
[build] -Wno-implicit-fallthrough for ls-hpack
[core] ignore pcre2 "bad JIT option" warning
[build] pcre2: use pkg-config before pcre2-config
[core] http_response_has_error_handler()
[core] consolidate request restart loop check
[core] defer retrieving Last-Modified until needed
[mod_dirlisting] fix logic inversion in cache
[core] mark expect cond in http_response_send_file
[core] connection_handle_read_state() tweak
[core] connection_state_machine_loop() tweaks
[core] connection_state_machine_h2() tweaks
[core] quiet coverity noise
[core] use lower limit for max-fds if !setrlimit
[build] do not check for prctl; HAVE_PRCTL unused
[core] server.core-files support on FreeBSD (fixes #3128)
[mod_extforward] support longer PROXY v2 TLV vec
[mod_webdav] detect truncated copy_file_range()
[mod_webdav] copy_file_range() new in FreeBSD 13
[mod_webdav] copy_file_range() new in FreeBSD 13
[build] feature consistency between build types
[build] cmake build now defaults to C11
[core] CCRandomGenerateBytes() for rand on macOS (fixes #3129)
[multiple] remove long-deprecated modules
[build] default -with-pcre2 unless -with-pcre
[core] "server.graceful-shutdown-timeout" => 8
[build] adjust trace for regex-conditionals
[build] update tests/SConscript
[core] errno_t detection on Illumos
[build] cmake build now defaults to C11
[build] meson: find pcre2 w/o pkg-config
[core] define EXTENSIONS on Illumos
[build] cmake,meson socket libs for win32, Illumos (fixes #3130)
[core] hide bsd_accept_filter code on OpenBSD (fixes #3131)
[core] errno_t and rsize_t detection on Illumos
[mod_webdav] copy acceleration
[mod_webdav] define HAVE_RENAMEAT2 earlier
[build] meson misdetects mempcpy on some platforms
[build] cmake: skip "-Wl,-export-dynamic" Illumos
[build] adjust .gitignore for macOS
[build] meson crypt and dl detection on *BSD (fixes #3133)
[core] /dev/null is a symlink on Illumos (fixes #3132)
[core] server.core-files support for solaris (fixes #3135)
[build] feature consistency between build types
[build] Haiku build fix (fixes #3136)
[lemon] silence coverity warnings
[cmake] raise minimum version to 3.7
[cmake] add address/undefined sanitize compile options
[asan tests] fix memory leaks
[array] use speaking names for array "fn" vtables for better debugging experience
[ci] add cmake-asan build type
[core] buffer_copy_string() use "" if s is NULL
[mod_authn_gssapi] code reuse: fdevent_mkostemp()
[mod_authn_gssapi] reduce KRB5CCNAME mem alloc
[build] adjust help strings for pcre2 default
[core] (const char *) for srvconf.modules_dir
[multiple] remove buffer_init_string()
[multiple] remove buffer_init_buffer()
[mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
[build] use -fstack-protector-strong w/ extra warn
[build] collect Sun-specific headers and funcs
[build] collect Sun-specific headers and funcs
[build] rm redundant check for -lnetwork on Haiku
[build] check headers before some funcs
[core] allow LISTEN_PID to be ppid if TRACEME (fixes #3137)
[core] allow tests/tmp/bind.conf override (#3137)
[mod_webdav] no sys/ioctl.h on _WIN32
[tests] _WIN32 adjustments in LightyTest.pm
[tests] revert _WIN32 adjustments in LightyTest.pm
[mod_gnutls] lift size check out of DN loop
[mod_mbedtls] lift size check out of DN loop
[mbedtls] save (mbedtls_ssl_config *) in hctx
[multiple] permit UTF-8 in SSL_CLIENT_S_DN_*
[mod_openssl] do not esc UTF-8 in cert subject
[mod_mbedtls] reconstruct SSL_CLIENT_S_DN
[mod_mbedtls] changes to build with mbedtls 3.0.0
[mod_mbedtls] remove use of out_left in mbedtls 3
[mod_mbedtls] mbedtls_ssl_conf_groups for 3.1.0
(From OE-Core rev: 478f5f30bf783fae513dbe6e8be9af9f6ec8a6a8)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/lighttpd')
-rw-r--r-- | meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch | 97 | ||||
-rw-r--r-- | meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb (renamed from meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb) | 5 |
2 files changed, 1 insertions, 101 deletions
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch deleted file mode 100644 index f4e93d1065..0000000000 --- a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch +++ /dev/null | |||
@@ -1,97 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | CVE: CVE-2022-22707 | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 | ||
6 | From: povcfe <povcfe@qq.com> | ||
7 | Date: Wed, 5 Jan 2022 11:11:09 +0000 | ||
8 | Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) | ||
9 | |||
10 | (thx povcfe) | ||
11 | |||
12 | (edited: gstrauss) | ||
13 | |||
14 | There is a potential remote denial of service in lighttpd mod_extforward | ||
15 | under specific, non-default and uncommon 32-bit lighttpd mod_extforward | ||
16 | configurations. | ||
17 | |||
18 | Under specific, non-default and uncommon lighttpd mod_extforward | ||
19 | configurations, a remote attacker can trigger a 4-byte out-of-bounds | ||
20 | write of value '-1' to the stack. This is not believed to be exploitable | ||
21 | in any way beyond triggering a crash of the lighttpd server on systems | ||
22 | where the lighttpd server has been built 32-bit and with compiler flags | ||
23 | which enable a stack canary -- gcc/clang -fstack-protector-strong or | ||
24 | -fstack-protector-all, but bug not visible with only -fstack-protector. | ||
25 | |||
26 | With standard lighttpd builds using -O2 optimization on 64-bit x86_64, | ||
27 | this bug has not been observed to cause adverse behavior, even with | ||
28 | gcc/clang -fstack-protector-strong. | ||
29 | |||
30 | For the bug to be reachable, the user must be using a non-default | ||
31 | lighttpd configuration which enables mod_extforward and configures | ||
32 | mod_extforward to accept and parse the "Forwarded" header from a trusted | ||
33 | proxy. At this time, support for RFC7239 Forwarded is not common in CDN | ||
34 | providers or popular web server reverse proxies. It bears repeating that | ||
35 | for the user to desire to configure lighttpd mod_extforward to accept | ||
36 | "Forwarded", the user must also be using a trusted proxy (in front of | ||
37 | lighttpd) which understands and actively modifies the "Forwarded" header | ||
38 | sent to lighttpd. | ||
39 | |||
40 | lighttpd natively supports RFC7239 "Forwarded" | ||
41 | hiawatha natively supports RFC7239 "Forwarded" | ||
42 | |||
43 | nginx can be manually configured to add a "Forwarded" header | ||
44 | https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ | ||
45 | |||
46 | A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) | ||
47 | in front of another 32-bit lighttpd will detect and reject a malicious | ||
48 | "Forwarded" request header, thereby thwarting an attempt to trigger | ||
49 | this bug in an upstream 32-bit lighttpd. | ||
50 | |||
51 | The following servers currently do not natively support RFC7239 Forwarded: | ||
52 | nginx | ||
53 | apache2 | ||
54 | caddy | ||
55 | node.js | ||
56 | haproxy | ||
57 | squid | ||
58 | varnish-cache | ||
59 | litespeed | ||
60 | |||
61 | Given the general dearth of support for RFC7239 Forwarded in popular | ||
62 | CDNs and web server reverse proxies, and given the prerequisites in | ||
63 | lighttpd mod_extforward needed to reach this bug, the number of lighttpd | ||
64 | servers vulnerable to this bug is estimated to be vanishingly small. | ||
65 | Large systems using reverse proxies are likely running 64-bit lighttpd, | ||
66 | which is not known to be adversely affected by this bug. | ||
67 | |||
68 | In the future, it is desirable for more servers to implement RFC7239 | ||
69 | Forwarded. lighttpd developers would like to thank povcfe for reporting | ||
70 | this bug so that it can be fixed before more CDNs and web servers | ||
71 | implement RFC7239 Forwarded. | ||
72 | |||
73 | x-ref: | ||
74 | "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" | ||
75 | https://redmine.lighttpd.net/issues/3134 | ||
76 | (not yet written or published) | ||
77 | CVE-2022-22707 | ||
78 | --- | ||
79 | src/mod_extforward.c | 2 +- | ||
80 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
81 | |||
82 | diff --git a/src/mod_extforward.c b/src/mod_extforward.c | ||
83 | index ba957e04..fdaef7f6 100644 | ||
84 | --- a/src/mod_extforward.c | ||
85 | +++ b/src/mod_extforward.c | ||
86 | @@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c | ||
87 | while (s[i] == ' ' || s[i] == '\t') ++i; | ||
88 | if (s[i] == ';') { ++i; continue; } | ||
89 | if (s[i] == ',') { | ||
90 | - if (j >= (int)(sizeof(offsets)/sizeof(int))) break; | ||
91 | + if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; | ||
92 | offsets[++j] = -1; /*("offset" separating params from next proxy)*/ | ||
93 | ++i; | ||
94 | continue; | ||
95 | -- | ||
96 | 2.25.1 | ||
97 | |||
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb index 6359310772..8d2e77e011 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb | |||
@@ -14,13 +14,12 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \ | |||
14 | lighttpd-module-accesslog" | 14 | lighttpd-module-accesslog" |
15 | 15 | ||
16 | SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ | 16 | SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ |
17 | file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ | ||
18 | file://index.html.lighttpd \ | 17 | file://index.html.lighttpd \ |
19 | file://lighttpd.conf \ | 18 | file://lighttpd.conf \ |
20 | file://lighttpd \ | 19 | file://lighttpd \ |
21 | " | 20 | " |
22 | 21 | ||
23 | SRC_URI[sha256sum] = "2aef7f0102ebf54a1241a1c3ea8976892f8684bfb21697c9fffb8de0e2d6eab9" | 22 | SRC_URI[sha256sum] = "e1489d9fa7496fbf2e071c338b593b2300d38c23f1e5967e52c9ef482e1b0e26" |
24 | 23 | ||
25 | DEPENDS = "virtual/crypt" | 24 | DEPENDS = "virtual/crypt" |
26 | 25 | ||
@@ -39,8 +38,6 @@ PACKAGECONFIG[zlib] = "-Dwith_zlib=true,-Dwith_zlib=false,zlib" | |||
39 | PACKAGECONFIG[bzip2] = "-Dwith_bzip=true,-Dwith_bzip=false,bzip2" | 38 | PACKAGECONFIG[bzip2] = "-Dwith_bzip=true,-Dwith_bzip=false,bzip2" |
40 | PACKAGECONFIG[webdav-props] = "-Dwith_webdav_props=true,-Dwith_webdav_props=false,libxml2 sqlite3" | 39 | PACKAGECONFIG[webdav-props] = "-Dwith_webdav_props=true,-Dwith_webdav_props=false,libxml2 sqlite3" |
41 | PACKAGECONFIG[webdav-locks] = "-Dwith_webdav_locks=true,-Dwith_webdav_locks=false,util-linux" | 40 | PACKAGECONFIG[webdav-locks] = "-Dwith_webdav_locks=true,-Dwith_webdav_locks=false,util-linux" |
42 | PACKAGECONFIG[gdbm] = "-Dwith_gdbm=true,-Dwith_gdbm=false,gdbm" | ||
43 | PACKAGECONFIG[memcache] = "-Dwith_memcached=true,-Dwith_memcached=false,libmemcached" | ||
44 | PACKAGECONFIG[lua] = "-Dwith_lua=true,-Dwith_lua=false,lua" | 41 | PACKAGECONFIG[lua] = "-Dwith_lua=true,-Dwith_lua=false,lua" |
45 | PACKAGECONFIG[zstd] = "-Dwith_zstd=true,-Dwith_zstd=false,zstd" | 42 | PACKAGECONFIG[zstd] = "-Dwith_zstd=true,-Dwith_zstd=false,zstd" |
46 | 43 | ||