| Message ID | 20240126135747.2407552-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/darkhttpd: security bump to version 1.15 | expand |
Peter, All, On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly: > Fixes the following security issues: > > CVE-2024-23770: Local Leak of Authentication Parameter in Process List > > CVE-2024-23771: Basic Auth Timing Attack > > https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html > > Notice that CVE-2024-23770 is only documented as a known weakness, not > fixed. > > Also change the license logic to use the dedicated COPYING file available > since 1.14: > > https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd > > This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. This means the licensing stuff should be backported to the maintenance branches, and should thus have been a separate patch prior to the version bump. But since this is a security fix, I guess you'll want to backport the version bump too. And since the odlest stable, 2023.02, already had darkhttpd 1.14, it is possibe to backport the version bump to all maintenance branches. Thus, I considered splitting, got slightly cat-distracted, and pushed without splitting. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/darkhttpd/darkhttpd.hash | 4 ++-- > package/darkhttpd/darkhttpd.mk | 6 +++--- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash > index 188afff767..84a787eeba 100644 > --- a/package/darkhttpd/darkhttpd.hash > +++ b/package/darkhttpd/darkhttpd.hash > @@ -1,3 +1,3 @@ > # Locally generated > -sha256 e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195 darkhttpd-1.14.tar.gz > -sha256 f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710 darkhttpd.c > +sha256 ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9 darkhttpd-1.15.tar.gz > +sha256 1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee COPYING > diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk > index bda08899b8..e13f8f7770 100644 > --- a/package/darkhttpd/darkhttpd.mk > +++ b/package/darkhttpd/darkhttpd.mk > @@ -4,10 +4,10 @@ > # > ################################################################################ > > -DARKHTTPD_VERSION = 1.14 > +DARKHTTPD_VERSION = 1.15 > DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION)) > -DARKHTTPD_LICENSE = MIT > -DARKHTTPD_LICENSE_FILES = darkhttpd.c > +DARKHTTPD_LICENSE = ISC > +DARKHTTPD_LICENSE_FILES = COPYING > DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project > > define DARKHTTPD_BUILD_CMDS > -- > 2.39.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: > Peter, All, > On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly: >> Fixes the following security issues: >> >> CVE-2024-23770: Local Leak of Authentication Parameter in Process List >> >> CVE-2024-23771: Basic Auth Timing Attack >> >> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html >> >> Notice that CVE-2024-23770 is only documented as a known weakness, not >> fixed. >> >> Also change the license logic to use the dedicated COPYING file available >> since 1.14: >> >> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd >> >> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. > This means the licensing stuff should be backported to the maintenance > branches, and should thus have been a separate patch prior to the > version bump. > But since this is a security fix, I guess you'll want to backport the > version bump too. And since the odlest stable, 2023.02, already had > darkhttpd 1.14, it is possibe to backport the version bump to all > maintenance branches. > Thus, I considered splitting, got slightly cat-distracted, and pushed > without splitting. Hehe ;) That was indeed also the reason why I didn't do the effort to split it in multiple patches.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: >> Peter, All, >> On 2024-01-26 14:57 +0100, Peter Korsgaard spake thusly: >>> Fixes the following security issues: >>> >>> CVE-2024-23770: Local Leak of Authentication Parameter in Process List >>> >>> CVE-2024-23771: Basic Auth Timing Attack >>> >>> https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html >>> >>> Notice that CVE-2024-23770 is only documented as a known weakness, not >>> fixed. >>> >>> Also change the license logic to use the dedicated COPYING file available >>> since 1.14: >>> >>> https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd >>> >>> This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. >> This means the licensing stuff should be backported to the maintenance >> branches, and should thus have been a separate patch prior to the >> version bump. >> But since this is a security fix, I guess you'll want to backport the >> version bump too. And since the odlest stable, 2023.02, already had >> darkhttpd 1.14, it is possibe to backport the version bump to all >> maintenance branches. >> Thus, I considered splitting, got slightly cat-distracted, and pushed >> without splitting. > Hehe ;) That was indeed also the reason why I didn't do the effort to > split it in multiple patches. Committed to 2023.02.x and 2023.11.x, thanks.
diff --git a/package/darkhttpd/darkhttpd.hash b/package/darkhttpd/darkhttpd.hash index 188afff767..84a787eeba 100644 --- a/package/darkhttpd/darkhttpd.hash +++ b/package/darkhttpd/darkhttpd.hash @@ -1,3 +1,3 @@ # Locally generated -sha256 e063de9efa5635260c8def00a4d41ec6145226a492d53fa1dac436967670d195 darkhttpd-1.14.tar.gz -sha256 f002944c9a8516e3346002d39c3e13681306833358c0f3c7781dff1fdb639710 darkhttpd.c +sha256 ea48cedafbf43186f4a8d1afc99b33b671adee99519658446022e6f63bd9eda9 darkhttpd-1.15.tar.gz +sha256 1ecf63e8f84fd60ac7215e04195b9a61dcb47176ea65df26547582027f6c1dee COPYING diff --git a/package/darkhttpd/darkhttpd.mk b/package/darkhttpd/darkhttpd.mk index bda08899b8..e13f8f7770 100644 --- a/package/darkhttpd/darkhttpd.mk +++ b/package/darkhttpd/darkhttpd.mk @@ -4,10 +4,10 @@ # ################################################################################ -DARKHTTPD_VERSION = 1.14 +DARKHTTPD_VERSION = 1.15 DARKHTTPD_SITE = $(call github,emikulic,darkhttpd,v$(DARKHTTPD_VERSION)) -DARKHTTPD_LICENSE = MIT -DARKHTTPD_LICENSE_FILES = darkhttpd.c +DARKHTTPD_LICENSE = ISC +DARKHTTPD_LICENSE_FILES = COPYING DARKHTTPD_CPE_ID_VENDOR = darkhttpd_project define DARKHTTPD_BUILD_CMDS
Fixes the following security issues: CVE-2024-23770: Local Leak of Authentication Parameter in Process List CVE-2024-23771: Basic Auth Timing Attack https://security.opensuse.org/2024/01/22/darkhttpd-basic-auth-issues.html Notice that CVE-2024-23770 is only documented as a known weakness, not fixed. Also change the license logic to use the dedicated COPYING file available since 1.14: https://github.com/emikulic/darkhttpd/commit/a8ae2b1de069588cad23d79a5392445ee9590fcd This license is ISC, not MIT - So adjust DARKHTTPD_LICENSE to match. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/darkhttpd/darkhttpd.hash | 4 ++-- package/darkhttpd/darkhttpd.mk | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)