OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2017.08 2017-07-11T19:31:17+00:00 2017-07-11T19:31:17+00:00 Bernd Kuhls bernd.kuhls@t-online.de 2017-07-11T18:25:26+00:00 urn:sha1:cf9b7cedac14de7cf5650589bf4c37635b5438a9 Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-06-20T21:24:33+00:00 Peter Korsgaard peter@korsgaard.com 2017-06-20T21:13:45+00:00 urn:sha1:e8a15fd693261306c6e9a0733569a89d5b795295 Fixes the following security issues: CVE-2017-3167: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. CVE-2017-7668: The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. While we're at it, use the upstream sha256 checksum instead of sha1. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-05-11T21:25:00+00:00 Adam Duskett Aduskett@gmail.com 2017-05-05T14:08:05+00:00 urn:sha1:0896e3ed644a37bde3b7ad7786f0f7b4df7d25a4 The check-package script when ran gives warnings on text wrapping on all of these Config files. This patch cleans up all warnings related to the text wrapping for the Config files starting with the letter a in the package directory. The appropriate indentation is: <tab><2 spaces><62 chars> See http://nightly.buildroot.org/#writing-rules-config-in for more information. Signed-off-by: Adam Duskett <aduskett@codeblue.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-29T15:17:02+00:00 Adam Duskett Aduskett@gmail.com 2017-04-22T17:17:48+00:00 urn:sha1:7b493e411f5b4473b275aa125d85386a5d1127a9 The check-package script when ran gives warnings on ordering issues on all of these Config files. This patch cleans up all warnings related to the ordering in the Config files for packages starting with the letter a in the package directory. The appropriate ordering is: type, default, depends on, select, help See http://nightly.buildroot.org/#_config_files for more information. Signed-off-by: Adam Duskett <Adamduskett@outlook.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-12-22T09:01:22+00:00 Bernd Kuhls bernd.kuhls@t-online.de 2016-12-22T06:02:59+00:00 urn:sha1:68af1dc2575888863ae0015b09555a5e42a5d56c Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.25 Fixes CVE-2016-8740, CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-09-12T21:13:44+00:00 Fabrice Fontaine fontaine.fabrice@gmail.com 2016-09-11T22:26:05+00:00 urn:sha1:bc5584fc90b491610aecec22102a772d0805ddf4 MPM can be selected between event, prefork or worker Set worker as the default one as it was before even if event MPM is better on system supporting thread safe polling Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-07-07T09:48:49+00:00 Bernd Kuhls bernd.kuhls@t-online.de 2016-07-07T05:08:00+00:00 urn:sha1:d72868f1583cb745a875f1eae263c24e085ce592 Fixes CVE-2016-4979: TLS/SSL X.509 client certificate auth bypass with HTTP/2 http://httpd.apache.org/security/vulnerabilities_24.html Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-04-13T19:36:43+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-04-11T19:47:20+00:00 urn:sha1:07e4772115a82e7b7c3287f78886e8675a74fd28 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-02-06T10:16:00+00:00 Thomas Petazzoni thomas.petazzoni@free-electrons.com 2016-02-02T15:31:24+00:00 urn:sha1:22e63d952edc2831b1844983481ecdca6ee02db8 Since the apache package was introduced, --enable-nonportable-atomics=yes was passed when BR2_ARCH_HAS_ATOMICS. However, Apache doesn't take this option: it only passes it down when building the APR library. But since we're building APR separately, this statement had no effect. So this commit removes the useless code from the Apache package, and instead adds the appropriate logic to the apr package, using the new BR2_TOOLCHAIN_HAS_SYNC_x symbols rather than BR2_ARCH_HAS_ATOMICS. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Bernd Kuhls <bernd.kuhls@t-online.de> 2015-12-19T13:06:32+00:00 Bernd Kuhls bernd.kuhls@t-online.de 2015-12-19T11:01:21+00:00 urn:sha1:4e2af5eac443746cd26cd81fbf321e6df99ca519 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>