The patch comes from upstream:
http://svn.apache.org/viewvc?view=revision&revision=1610674
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse proxy
configuration, a remote attacker could send a carefully crafted request which
could crash a server process, resulting in denial of service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for reporting
this issue.
Submitted by: Edward Lu, breser, covener
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to the
dns_get_record function and the dn_expand function. NOTE: this issue
exists because of an incomplete fix for CVE-2014-4049.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3597
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Integer overflow in the cdf_read_property_info function in cdf.c in file
through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and
5.5.x before 5.5.16, allows remote attackers to cause a denial of
service (application crash) via a crafted CDF file. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-1571.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3587
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
5.5.16 does not ensure that pathnames lack %00 sequences, which might
allow remote attackers to overwrite arbitrary files via crafted input to
an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif,
(4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the new Monkey HTTP Server v1.5.4.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.4
=== Build Tests ==
This version have been tested on Yocto/Daisy based on RPM.
monkey-yocto/a617991e40bd5c3779ad7b3689f78857d3e45248
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Split apache2-scripts subpkg to put the perl script dbmmanage, so that
apache2 doesn't have to RDEPEND on perl.
Add another perl script apxs to apache2-dev pkg as Olof Johansson
suggested.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Bashism:
possible bashism in plugins/transformations/generator_plugin.sh line 16 (echo -e):
echo -e "Usage: ./generator_plugin.sh MIMEType MIMESubtype TransformationName [Description]\n"
possible bashism in plugins/transformations/generator_plugin.sh line 28 (${parm,[,][pat]} or ${parm^[^][pat]}):
MT="${MT^}"
possible bashism in plugins/transformations/generator_plugin.sh line 29 (${parm,[,][pat]} or ${parm^[^][pat]}):
MS="${MS^}"
possible bashism in plugins/transformations/generator_plugin.sh line 30 (${parm,[,][pat]} or ${parm^[^][pat]}):
TN="${TN^}"
possible bashism in plugins/transformations/generator_plugin.sh line 51 (should be 'b = a'):
if [ "$4" == "--generate_only_main_class" ]; then
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
This patch add the new Monkey HTTP Server v1.5.3.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.3
=== Build Tests ==
This version have been tested on Yocto/Daisy being packaged and
deployed on images based on RPM successfully.
monkey-yocto/672eadb254e754b91efe691a6594985ee6d9a22e
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Changed:
- Adjust or remake the following patches based on 1.700:
init-exclude.patch
exports-lib.pl.patch
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* perl-module-time-local is already in RDEPENDS (I guess it's the
same thing as perl-module-timelocal without the last dash)
* list some packages explicitly so that bitbake finds their
RDEPENDS correctly
* fixes following warnings:
webmin-1.620: webmin-module-raid rdepends on mdadm, but it isn't a build dependency? [build-deps]
webmin-1.620: webmin-module-proc rdepends on procps, but it isn't a build dependency? [build-deps]
webmin-1.620: webmin rdepends on perl-module-timelocal, but it isn't a build dependency? [build-deps]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
We already patch configure.ac and we're not bypassing autoreconf,
so we don't need to patch configure as well.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This patch add the new Monkey HTTP Server v1.5.2. The new Bitbake file
contains the modifications suggested over the patch set for v1.5.1. It
specify each configuration file for CONFFILES_${PN}.
For more details about software changes please visit:
http://monkey-project.com/Announcements/v1.5.2
=== Build Tests ==
This version and new Bitbake file have been tested on Yocto/Daisy being
packaged and deployed on images based on rpm and ipk successfully.
monkey-yocto/70d57bfd19c01ec055db57e35385ffc4185ae186
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch add the minor release fix of Monkey HTTP Server v1.5.1. It fixes
some problems when switching user when started as root.
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
when move a file, test if this file exist or not
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* runtime dependencies are TUNE_PKGARCH causing do_package_write_*
task to have different signature for MACHINEs with different
TUNE_PKGARCH
Signed-off-by: Anders Darander <anders@chargestorm.se>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Fixed SRC_URI:
* ${PN} -> ${BPN}, use ${BP} if it was ${PN}-${PV}
* ${P} -> ${BP}
Otherwise we would meet do_fetch errors when we do the multilib, native
or nativesdk build.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
These recipes were all missing pkgconfig dependencies.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* These recipes all use pkg-config in some way but were missing
dependencies on the tool, this patch adds them.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Also fixup apache2-native recipe to use autotools and SEPB.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Rather than put hardcoded values into the init scripts,
use a config file. The SRV_DIR is a special value as it
should be used in the conifg file and also passed to make
so it can put the html files in the correct directory.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The default set of themes taks up ~13MB, with a couple of them weighting in
at ~5MB each.
Let's split the themes to separate packages, to allow a considerable size
reduction of the core webmin package (from +15MB to 2.1MB on my build host).
Signed-off-by: Anders Darander <anders@chargestorm.se>
Don't hardcode the webmin login and password in the install script.
Instead, extract them to variables, to allow us to override them in
a bbappend.
Signed-off-by: Anders Darander <anders@chargestorm.se>
This patch make use of autotools-brokensep on main
recipe to avoid a broken build when using a different
build directory.
monkey-yocto/f15c9e7cd9143ce8486ae5e78db9092238c3d0ec
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
This patch adds the Monkey HTTP Server v1.5.0 recipes. The content
on this patch includes the modifications suggested by people in the
Maling List.
Signed-off-by: Eduardo Silva <eduardo@monkey.io>
Add the Xdebug license file to avoid a missing generic license file
warning during building.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Both the two rules install-adminpyDATA and install-generatedDATA will
install the configured.py to the same location, they can run parallel,
and they use "install -m", which would might build failures:
/usr/bin/install: setting permissions for `/path/to/configured.py': No such file or directory
This is because the first install is setting the permission while the
second install is removing the file an re-install.
Only install the configured.py once will fix the problem, I think that
there is no side effect since it installed the same file to the same
location twice in the past.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
sstate processing for items in sysroot scans certain
file name patterns for absolute paths to be adjusted
when items are installed into sysroot from sstate.
phpize is not one of these patterns (surprise!) so we
add it to the list.
Signed-off-by: Joe Slater <jslater@windriver.com>
* LIC_FILES_CHKSUM changed because of the introduction of an extra blank
line in the LICENSE file (!)
* Refreshed TLS Next Protocol Negotiation support patch for conflict
with 2.4.7. Thanks to Hongxu Jia for doing this work.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Changes:
- rename SUMMARY with length > 80 to DESCRIPTION
- rename DESCRIPTION with length < 80 to (non present tag) SUMMARY
- drop final point character at the end of SUMMARY string
- remove trailing whitespace of SUMMARY line
Note: don't bump PR
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
In recent versions, upstream has decided to place additional
restrictions on commercial use beyond a standard open source license
(LGPLv3) [1]. This makes it hard to set a LICENSE value that is easily
understood. Of course, as the authors, they have the right to decide
what licensing terms they wish to distribute their project under, and we
could always set LICENSE_FLAGS to denote the extra terms, but this is
somewhat messy and personally I feel less inclined to continue
maintaining this recipe in meta-webserver now, especially since I
originally put it together on my own time. At the moment due to a
branch/commit mismatch it is no longer fetching in any case.
(If someone wants to resurrect this recipe in another layer, they are
more than welcome to do so.)
[1] http://support.ajenti.org/topic/351265-clarify-licensing/
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Previously, modphp estimates endian on host rather than checks it on
target. If the host is little-endian and the target is big-endian,
modphp claims that endian is little. As a result, a memory location
that it is not allowed to access when calling libphp5.so module on
target. It will occur segmentation fault.
This patch enables endian check support for modphp.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
