On Wed, Dec 21, 2016 at 6:38 PM, Derek Straka <[email protected]> wrote: > Signed-off-by: Derek Straka <[email protected]> > --- > ...2-native_2.4.23.bb => apache2-native_2.4.25.bb} | 4 ++-- > .../apache2/apache2/cve-2016-5387.patch | 25 > ---------------------- > .../{apache2_2.4.23.bb => apache2_2.4.25.bb} | 5 ++--- > 3 files changed, 4 insertions(+), 30 deletions(-) > rename meta-webserver/recipes-httpd/apache2/{apache2-native_2.4.23.bb => > apache2-native_2.4.25.bb} (91%) > delete mode 100644 > meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch > rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.23.bb => > apache2_2.4.25.bb} (97%) > > diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb > b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb > similarity index 91% > rename from meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb > rename to meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb > index b227f19..ca8ebaf 100644 > --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.23.bb > +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.25.bb > @@ -15,8 +15,8 @@ SRC_URI = > "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ > S = "${WORKDIR}/httpd-${PV}" > > LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" > -SRC_URI[md5sum] = "04f19c60e810c028f5240a062668a688" > -SRC_URI[sha256sum] = > "0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58" > +SRC_URI[md5sum] = "2826f49619112ad5813c0be5afcc7ddb" > +SRC_URI[sha256sum] = > "f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2" > > EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ > --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ > diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch > b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch > deleted file mode 100644 > index dbcdfc6..0000000 > --- a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch > +++ /dev/null > @@ -1,25 +0,0 @@ > -This patch has been copied from > https://www.apache.org/security/asf-httpoxy-response.txt > -as a mitigation of CVE-2016-5387. > - > -Upstream-Status: Backport - fixed in 2.4.24 > - > -Signed-off-by: Joe Slater<[email protected]> > - > - > ---- a/server/util_script.c (revision 1752426) > -+++ b/server/util_script.c (working copy) > -@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r > - else if (!strcasecmp(hdrs[i].key, "Content-length")) { > - apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); > - } > -+ /* HTTP_PROXY collides with a popular envvar used to configure > -+ * proxies, don't let clients set/override it. But, if you must... > -+ */ > -+#ifndef SECURITY_HOLE_PASS_PROXY > -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { > -+ ; > -+ } > -+#endif > - /* > - * You really don't want to disable this check, since it leaves you > - * wide open to CGIs stealing passwords and people viewing them > diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb > b/meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb > similarity index 97% > rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb > rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb > index b78ff51..3bd8579 100644 > --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb > +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.25.bb > @@ -17,15 +17,14 @@ SRC_URI = > "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ > file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ > file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ > file://configure-allow-to-disable-selinux-support.patch \ > - file://cve-2016-5387.patch \ > file://init \ > file://apache2-volatile.conf \ > file://apache2.service \ > " > > LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" > -SRC_URI[md5sum] = "04f19c60e810c028f5240a062668a688" > -SRC_URI[sha256sum] = > "0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58" > +SRC_URI[md5sum] = "2826f49619112ad5813c0be5afcc7ddb" > +SRC_URI[sha256sum] = > "f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2" > > S = "${WORKDIR}/httpd-${PV}" > > -- > 2.7.4 > > -- > _______________________________________________ > Openembedded-devel mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
How long does it typically take for something like this to show up in the Krogoth (2.1.2) and Morty (2.2) branch? Just wondering because I did a fresh checked of both yesterday and they didn't have this fix yet. Regards, Brian -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
