CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite
Other Changes between 2.4.59 -> 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The first version of this patch introduced a problem with python3-pyqt5.
Python emitted the following error message when one attempted to import
PyQt5.Qt:
ImportError: dynamic module does not define module export function (PyInit_Qt)
This came about due to segfault in sip when executed in do_configure of
python3-pyqt5. This resulted in a zero-length sipQtcmodule.c file being
produced. This compiled successfully which meant no build failure was
observed.
The segfault was caused by a mistake in backporting the patch from SIP 6.
The generateCompositeCpp() function uses the generate_include_sip_h()
helper function in later versions which doesn't exist in SIP 4.
We must replace the first parameter passed to isPY_SSIZE_T_CLEAN() from
mod to pt->module to account for this. The change is not necessary for
generateInternalAPIHeader()
To simplify the patch we can remove the generated lexer and parser files
and run flex and bison in do_configure instead.
Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Tested-by: Toby Flynn <campingandskiing@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Align to commit 8e297cdc84
("nginx: Remove obsolete patch") by removing reference to
removed patch file. By doing so we mitigate the following
BitBake complaint:
WARNING: .../meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb: Unable to get checksum for nginx SRC_URI entry 0001-HTTP-2-per-iteration-stream-handling-limit.patch: file could not be found
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
With the inclusion of commit 85102dd2df
the same patch was introduced again, thus this copy can be deleted
(which accidently was never used, since I originally forgot to add it to
the SRC_URI, whoops).
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A flaw was found in libssh. By utilizing the
ProxyCommand or ProxyJump feature, users can exploit
unchecked hostname syntax on the client. This issue
may allow an attacker to inject malicious code into
the command of the features mentioned through the
hostname parameter
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 42, in <module>
from typing_extensions import Literal, ParamSpec, Protocol
ModuleNotFoundError: No module named 'typing_extensions'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
from twisted.internet import defer
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 14, in <module>
from asyncio import AbstractEventLoop, Future, iscoroutine
ModuleNotFoundError: No module named 'asyncio'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.
References:
https://security-tracker.debian.org/tracker/CVE-2024-23334https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c. This
occurs when a crafted gif file, where size of color table is < 256 but
image data contains pixels with color code highier than size of color
table. This causes oferflow of ColorMap->Colors array.
Fix the issue by checking if value of each pixel is within bounds of
given color table. If the value is out of color table, print error
message and exit.
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
bat-format-pretty hardcoded the lib folder that cause it reports
missing formatter.bash error when multilib is enabled.
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE fixed:
- CVE-2023-40359 xterm: ReGIS reporting for character-set names containing characters other than alphanumerics or underscore
Upstream-Status: Backport from https://github.com/ThomasDickey/xterm-snapshots/commit/41ba5cf31da5e43477811b28009d64d3f643fd29
Note: The CVE patch is part of minor version-up and is extracted from the snapshot of xterm-379c.
Documentation of the commit shows 2 different overflows being fixed and hence the fix was extracted from the commit.
Signed-off-by: Rohini Sangam <rsangam@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Upgrade to 1.4.1 to make it work with setuptools 59.x as it doesn't
support pep 621 [1], so remove pyproject.toml and add setup.cfg back [2].
* Add python3-toml to RDEPENDS to fix below error:
self = <yamlinclude.readers.TomlReader object at 0x7faceccdbd30>
def __call__(self):
if sys.version_info >= (3, 11):
with open(self._path, "rb") as fp:
return tomllib.load(fp)
else:
try:
import toml
except ImportError as err: # pragma: no cover
> raise ImportError(f'Un-supported file "{self._path}".\n`pip install toml` should solve the problem.\n\n{err}')
E ImportError: Un-supported file "tests/data/include.d/1.toml".
E `pip install toml` should solve the problem.
E
E No module named 'toml'
../../python3.10/site-packages/yamlinclude/readers.py:69: ImportError
[1] https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
[2] https://github.com/tanbro/pyyaml-include/issues/43
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add a recipe for the pyyaml-include package that extends PyYAML to include
YAML files within YAML files. Add a ptest to run the unit tests and include
the tests as part of the package lists in meta-python
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf011a9f5e)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An out-of-bounds stack write flaw was found in unixODBC on 64-bit
architectures where the caller has 4 bytes and callee writes 8 bytes.
This issue may go unnoticed on little-endian architectures, while
big-endian architectures can be broken.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-1013
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Poonam Jadhav
Kai Kang
Jasper Orschulko
Martin Jansa
Vijay Anusuri
Siddharth Doshi
Soumya Sambu
Jiaqing Zhao
nikhil
Peter Marko
Rob Woolley
Meenali Gupta
Niko Mauno
Randy MacLeod
Archana Polampalli
Priyal Doshi
Vivek Kumbhar
Yogita Urade
akash hadke
Mingli Yu
Hains van den Bosch
Hitendra Prajapati
Rahul Janani Pandi
Xiangyu Chen
Rohini Sangam
Ashish Sharma
Tim Orling
Derek Straka