mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-01-04 16:10:10 +00:00
df1a3371d0
Source: git://git.openembedded.org/meta-openembedded MR: 112702, 113258, 113284, 113290, 113296 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?h=honister&id=54a96fa4feb1a7712f9f3d1190c0d95d89eb6c7c ChangeID: 1576d86baac5a72ea4d2909a8a05c0c87fdce2f1 Description: Changes with Apache 2.4.49 *) SECURITY: CVE-2021-40438 (cve.mitre.org) mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic] *) SECURITY: CVE-2021-39275 (cve.mitre.org) core: ap_escape_quotes buffer overflow *) SECURITY: CVE-2021-36160 (cve.mitre.org) mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic] *) SECURITY: CVE-2021-34798 (cve.mitre.org) core: null pointer dereference on malformed request *) SECURITY: CVE-2021-33193 (cve.mitre.org) mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing] *) core/mod_proxy/mod_ssl: Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. [Stefan Eissing] *) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self <joelself gmail.com>] *) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self <joelself gmail.com>] *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] *) mod_unique_id: Reduce the time window where duplicates may be generated PR 65159 [Christophe Jaillet] *) mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM's signals. [Ruediger Pluem, Yann Ylavic] *) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load. PR 65159" added in 2.4.47. This causes issue on Windows. [Christophe Jaillet] *) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic] *) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted as successful or a staged renewal is replacing the existing certificates. This avoid potential mess ups in the md store file system to render the active certificates non-working. [@mkauf] *) mod_proxy: Faster unix socket path parsing in the "proxy:" URL. [Yann Ylavic] *) mod_ssl: tighten the handling of ALPN for outgoing (proxy) connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. *) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances with others when their URLs contain a '$' substitution. PR 65419 + 65429. [Yann Ylavic] *) mod_dav: Add method_precondition hook. WebDAV extensions define conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. [Graham Leggett] *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other modules apart from versioning implementations to handle the REPORT method. [Graham Leggett] *) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and dav_get_resource() to mod_dav.h. [Graham Leggett] *) core: fix ap_escape_quotes substitution logic. [Eric Covener] *) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp. - mod_ldap: log and abort locking errors. - mod_ldap: style fix for r1831165 - mod_ldap: build break fix for r1831165 - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590) - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case. - mod_rewrite: Save a few cycles. - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED [Christophe Jaillet] *) core/mpm: add hook 'child_stopping` that gets called when the MPM is stopping a child process. The additional `graceful` parameter allows registered hooks to free resources early during a graceful shutdown. [Yann Ylavic, Stefan Eissing] *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the balancer-manager, which can lead to a crash. [Yann Ylavic] *) mpm_event: Fix graceful stop/restart of children processes if connections are in lingering close for too long. [Yann Ylavic] *) mod_md: fixed a potential null pointer dereference if ACME/OCSP server returned 2xx responses without content type. Reported by chuangwen. [chuangwen, Stefan Eissing] *) mod_md: - Domain names in `<MDomain ...>` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. [Stefan Eissing] *) Add CPING to health check logic. [Jean-Frederic Clere] *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] *) core, h2: common ap_parse_request_line() and ap_check_request_header() code. [Yann Ylavic] *) core: Add StrictHostCheck to allow unconfigured hostnames to be rejected. [Eric Covener] *) htcacheclean: Improve help messages. [Christophe Jaillet] Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit |
||
|---|---|---|
| .. | ||
| conf | ||
| licenses | ||
| recipes-core | ||
| recipes-httpd | ||
| recipes-php | ||
| recipes-support | ||
| recipes-webadmin | ||
| COPYING.MIT | ||
| README | ||
meta-webserver ============== This layer provides support for building web servers, web-based applications and related software. Dependencies ------------ This layer depends on: URI: git://github.com/openembedded/oe-core.git subdirectory: meta branch: dunfell revision: HEAD For some recipes, the meta-oe layer is required: URI: git://github.com/openembedded/meta-oe.git subdirectory: meta-oe branch: dunfell revision: HEAD Layout ------ recipes-httpd/ Web servers recipes-php/ PHP applications recipes-support/ Miscellaneous support recipes recipes-webadmin/ Standalone web administration interfaces Notes ----- * This layer used to provide a modphp recipe that built mod_php, but this is now built as part of the php recipe in meta-oe. However, since apache2 is required to build mod_php, and apache2 recipe is in this layer and recipes in meta-oe can't depend on it, mod_php is not built by default. If you do wish to use mod_php, you need to add "apache2" to the PACKAGECONFIG value for the php recipe in order to enable it. See here for info on how to do that: http://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#var-PACKAGECONFIG Maintenance ----------- Send patches / pull requests to openembedded-devel@lists.openembedded.org with '[meta-webserver][dunfell]' in the subject. dunfell Maintainer: Armin Kuster <akuster808@gmail.com> License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Intel Corporation.