GNU bug report logs -
#63038
Apache HTTPD security update 2.4.57
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sun, 23 Apr 2023 17:10:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 63038 in the body.
You can then email your comments to 63038 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#63038; Package
guix-patches.
(Sun, 23 Apr 2023 17:10:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 23 Apr 2023 17:10:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Here are patches to update HTTPD to the latest upstream release, 2.4.57.
These patches also remove a bunch of spurious dependencies on the
primary httpd package by creating a pinned variant. With these changes,
we'll be able to update HTTPD freely without triggering thousands of
rebuilds.
Information forwarded
to
guix-patches <at> gnu.org:
bug#63038; Package
guix-patches.
(Sun, 23 Apr 2023 17:12:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 63038 <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2023-27522, CVE-2023-25690, CVE-2022-37436, CVE-2022-36760,
CVE-2006-20001, CVE-2022-31813, CVE-2022-30556, CVE-2022-30522,
CVE-2022-29404, CVE-2022-28615, CVE-2022-28614, CVE-2022-28330,
CVE-2022-26377, CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
and CVE-2022-22719.
* gnu/packages/web.scm (httpd): Update to 2.4.57.
(httpd/pinned): New variable.
* gnu/packages/gnome.scm (libsoup-minimal): Replace httpd with httpd/pinned.
---
gnu/packages/gnome.scm | 2 +-
gnu/packages/web.scm | 19 +++++++++++++++++--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 2cb087c987..49c678b2eb 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5241,7 +5241,7 @@ (define-public libsoup-minimal
vala
curl
gnutls ;for 'certtool'
- httpd))
+ httpd/pinned))
(propagated-inputs
;; libsoup-3.0.pc refers to all of these (except where otherwise noted)
(list brotli
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 6fa3067bbe..c8a1d0123e 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -273,14 +273,14 @@ (define-public qhttp
(define-public httpd
(package
(name "httpd")
- (version "2.4.52")
+ (version "2.4.57")
(source (origin
(method url-fetch)
(uri (string-append "mirror://apache/httpd/httpd-"
version ".tar.bz2"))
(sha256
(base32
- "1jgmfbazc2n9dnl7axhahwppyq25bvbvwx0lqplq76by97fgf9q1"))))
+ "0ajdz5f2w9nbmqydip2mv9m4xlnc4swmw7mqzgnrbq4mxr5bik6v"))))
(build-system gnu-build-system)
(native-inputs (list `(,pcre "bin"))) ;for 'pcre-config'
(inputs (list apr apr-util openssl perl)) ; needed to run bin/apxs
@@ -305,6 +305,21 @@ (define-public httpd
(license license:asl2.0)
(home-page "https://httpd.apache.org/")))
+;; A package variant that may be out of date and vulnerable. Only for use in
+;; test suites and should never be referred to by a built package.
+(define-public httpd/pinned
+ (hidden-package
+ (package
+ (inherit httpd)
+ (version "2.4.52")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://apache/httpd/httpd-"
+ version ".tar.bz2"))
+ (sha256
+ (base32
+ "1jgmfbazc2n9dnl7axhahwppyq25bvbvwx0lqplq76by97fgf9q1")))))))
+
(define-public mod-wsgi
(package
(name "mod-wsgi")
--
2.39.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#63038; Package
guix-patches.
(Sun, 23 Apr 2023 17:12:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 63038 <at> debbugs.gnu.org (full text, mbox):
* guix/build-system/cmake.scm (cmake-build, cmake-cross-build):
Add #:disallowed-references.
---
guix/build-system/cmake.scm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/guix/build-system/cmake.scm b/guix/build-system/cmake.scm
index 09e3ac85db..ed979b9c6b 100644
--- a/guix/build-system/cmake.scm
+++ b/guix/build-system/cmake.scm
@@ -116,7 +116,8 @@ (define* (cmake-build name inputs
(substitutable? #t)
(imported-modules %cmake-build-system-modules)
(modules '((guix build cmake-build-system)
- (guix build utils))))
+ (guix build utils)))
+ disallowed-references)
"Build SOURCE using CMAKE, and with INPUTS. This assumes that SOURCE
provides a 'CMakeLists.txt' file as its build system."
(define build
@@ -158,6 +159,7 @@ (define build
#:target #f
#:graft? #f
#:substitutable? substitutable?
+ #:disallowed-references disallowed-references
#:guile-for-build guile)))
�
@@ -193,7 +195,8 @@ (define* (cmake-cross-build name
(build (nix-system->gnu-triplet system))
(imported-modules %cmake-build-system-modules)
(modules '((guix build cmake-build-system)
- (guix build utils))))
+ (guix build utils)))
+ disallowed-references)
"Cross-build NAME using CMAKE for TARGET, where TARGET is a GNU triplet and
with INPUTS. This assumes that SOURCE provides a 'CMakeLists.txt' file as its
build system."
--
2.39.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#63038; Package
guix-patches.
(Sun, 23 Apr 2023 17:13:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 63038 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/haxe.scm (neko)[inputs]: Replace httpd with ...
[native-inputs]: ... httpd/pinned.
[arguments]: Forbid keeping a reference to httpd/pinned.
---
gnu/packages/haxe.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/haxe.scm b/gnu/packages/haxe.scm
index dbe8b2c19e..44ba33abd1 100644
--- a/gnu/packages/haxe.scm
+++ b/gnu/packages/haxe.scm
@@ -66,7 +66,8 @@ (define-public neko
(base32 "1xgw646pghsjjbzd8qlaq17vq96swlrazpivrvyrhdj36vb3sci3"))))
(build-system cmake-build-system)
(arguments
- (list #:phases
+ (list #:disallowed-references (list httpd/pinned)
+ #:phases
#~(modify-phases %standard-phases
(add-after 'unpack 'prefix
(lambda _
@@ -76,7 +77,6 @@ (define-public neko
(inputs (list apr
apr-util
gtk+-2
- httpd
libgc
mbedtls-apache
mysql
@@ -84,7 +84,9 @@ (define-public neko
pcre
sqlite
zlib))
- (native-inputs (list git pkg-config)) ; git for source_archive and applying patch
+ (native-inputs (list httpd/pinned
+ git ; git for source_archive and applying patch
+ pkg-config))
(home-page "https://nekovm.org/")
(synopsis "High-level dynamically typed programming language and virtual
machine")
--
2.39.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#63038; Package
guix-patches.
(Sun, 23 Apr 2023 17:13:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 63038 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/openldap.scm (389-ds-base)[inputs]: Replace httpd with ...
[native-inputs]: ... httpd/pinned.
[arguments]: Forbid keeping a reference to httpd/pinned.
---
gnu/packages/openldap.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 3f3015bd80..2d3a6d6274 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -268,6 +268,7 @@ (define-public 389-ds-base
(guix build utils))
#:imported-modules `((guix build python-build-system)
,@%gnu-build-system-modules)
+ #:disallowed-references (list httpd/pinned)
#:configure-flags
#~(list "--enable-cmocka"
(string-append "--with-db="
@@ -357,7 +358,6 @@ (define-public 389-ds-base
cracklib
cyrus-sasl
gnutls
- httpd
icu4c
iproute
json-c
@@ -388,6 +388,7 @@ (define-public 389-ds-base
cmocka
doxygen
gettext-minimal
+ httpd/pinned
libtool
rsync
pkg-config))
--
2.39.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#63038; Package
guix-patches.
(Sun, 23 Apr 2023 17:13:03 GMT)
Full text and
rfc822 format available.
Message #20 received at 63038 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/web.scm (mod-wsgi)[inputs]: Replace httpd with ...
[native-inputs]: ... httpd/pinned.
[arguments]: Forbid keeping a reference to httpd/pinned.
---
gnu/packages/web.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index c8a1d0123e..07b567e0d1 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -335,14 +335,16 @@ (define-public mod-wsgi
"1savh6h3qds20mwn1nqasmqzcp57pdhfc9v4b4k78d6q28y0r17s"))))
(build-system gnu-build-system)
(arguments
- '(#:tests? #f ; TODO: can't figure out if there are tests
+ `(#:disallowed-references (,httpd/pinned)
+ #:tests? #f ; TODO: can't figure out if there are tests
#:make-flags (list
(string-append "DESTDIR="
(assoc-ref %outputs "out"))
"LIBEXECDIR=/modules")))
+ (native-inputs
+ `(("httpd" ,httpd/pinned)))
(inputs
- `(("httpd" ,httpd)
- ("python" ,python-wrapper)))
+ `(("python" ,python-wrapper)))
(synopsis "Apache HTTPD module for Python WSGI applications")
(description
"The mod_wsgi module for the Apache HTTPD Server adds support for running
--
2.39.2
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sun, 30 Apr 2023 08:50:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 30 Apr 2023 08:50:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 63038-done <at> debbugs.gnu.org (full text, mbox):
Pushed as 3b3c7ef1f74d15471da482ca9b3720020c9f85f1
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 28 May 2023 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 81 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.