* [bug#63038] Apache HTTPD security update 2.4.57
@ 2023-04-23 17:09 Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
2023-04-30 8:49 ` bug#63038: Apache HTTPD security update 2.4.57 Leo Famulari
0 siblings, 2 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-23 17:09 UTC (permalink / raw)
To: 63038
Here are patches to update HTTPD to the latest upstream release, 2.4.57.
These patches also remove a bunch of spurious dependencies on the
primary httpd package by creating a pinned variant. With these changes,
we'll be able to update HTTPD freely without triggering thousands of
rebuilds.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes].
2023-04-23 17:09 [bug#63038] Apache HTTPD security update 2.4.57 Leo Famulari
@ 2023-04-23 17:11 ` Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari
` (3 more replies)
2023-04-30 8:49 ` bug#63038: Apache HTTPD security update 2.4.57 Leo Famulari
1 sibling, 4 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw)
To: 63038
Fixes CVE-2023-27522, CVE-2023-25690, CVE-2022-37436, CVE-2022-36760,
CVE-2006-20001, CVE-2022-31813, CVE-2022-30556, CVE-2022-30522,
CVE-2022-29404, CVE-2022-28615, CVE-2022-28614, CVE-2022-28330,
CVE-2022-26377, CVE-2022-23943, CVE-2022-22721, CVE-2022-22720,
and CVE-2022-22719.
* gnu/packages/web.scm (httpd): Update to 2.4.57.
(httpd/pinned): New variable.
* gnu/packages/gnome.scm (libsoup-minimal): Replace httpd with httpd/pinned.
---
gnu/packages/gnome.scm | 2 +-
gnu/packages/web.scm | 19 +++++++++++++++++--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 2cb087c987..49c678b2eb 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5241,7 +5241,7 @@ (define-public libsoup-minimal
vala
curl
gnutls ;for 'certtool'
- httpd))
+ httpd/pinned))
(propagated-inputs
;; libsoup-3.0.pc refers to all of these (except where otherwise noted)
(list brotli
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 6fa3067bbe..c8a1d0123e 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -273,14 +273,14 @@ (define-public qhttp
(define-public httpd
(package
(name "httpd")
- (version "2.4.52")
+ (version "2.4.57")
(source (origin
(method url-fetch)
(uri (string-append "mirror://apache/httpd/httpd-"
version ".tar.bz2"))
(sha256
(base32
- "1jgmfbazc2n9dnl7axhahwppyq25bvbvwx0lqplq76by97fgf9q1"))))
+ "0ajdz5f2w9nbmqydip2mv9m4xlnc4swmw7mqzgnrbq4mxr5bik6v"))))
(build-system gnu-build-system)
(native-inputs (list `(,pcre "bin"))) ;for 'pcre-config'
(inputs (list apr apr-util openssl perl)) ; needed to run bin/apxs
@@ -305,6 +305,21 @@ (define-public httpd
(license license:asl2.0)
(home-page "https://httpd.apache.org/")))
+;; A package variant that may be out of date and vulnerable. Only for use in
+;; test suites and should never be referred to by a built package.
+(define-public httpd/pinned
+ (hidden-package
+ (package
+ (inherit httpd)
+ (version "2.4.52")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://apache/httpd/httpd-"
+ version ".tar.bz2"))
+ (sha256
+ (base32
+ "1jgmfbazc2n9dnl7axhahwppyq25bvbvwx0lqplq76by97fgf9q1")))))))
+
(define-public mod-wsgi
(package
(name "mod-wsgi")
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key.
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
@ 2023-04-23 17:11 ` Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned Leo Famulari
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw)
To: 63038
* guix/build-system/cmake.scm (cmake-build, cmake-cross-build):
Add #:disallowed-references.
---
guix/build-system/cmake.scm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/guix/build-system/cmake.scm b/guix/build-system/cmake.scm
index 09e3ac85db..ed979b9c6b 100644
--- a/guix/build-system/cmake.scm
+++ b/guix/build-system/cmake.scm
@@ -116,7 +116,8 @@ (define* (cmake-build name inputs
(substitutable? #t)
(imported-modules %cmake-build-system-modules)
(modules '((guix build cmake-build-system)
- (guix build utils))))
+ (guix build utils)))
+ disallowed-references)
"Build SOURCE using CMAKE, and with INPUTS. This assumes that SOURCE
provides a 'CMakeLists.txt' file as its build system."
(define build
@@ -158,6 +159,7 @@ (define build
#:target #f
#:graft? #f
#:substitutable? substitutable?
+ #:disallowed-references disallowed-references
#:guile-for-build guile)))
\f
@@ -193,7 +195,8 @@ (define* (cmake-cross-build name
(build (nix-system->gnu-triplet system))
(imported-modules %cmake-build-system-modules)
(modules '((guix build cmake-build-system)
- (guix build utils))))
+ (guix build utils)))
+ disallowed-references)
"Cross-build NAME using CMAKE for TARGET, where TARGET is a GNU triplet and
with INPUTS. This assumes that SOURCE provides a 'CMakeLists.txt' file as its
build system."
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned.
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari
@ 2023-04-23 17:11 ` Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 4/5] gnu: 389-ds-base: " Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 5/5] gnu: mod-wsgi: " Leo Famulari
3 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw)
To: 63038
* gnu/packages/haxe.scm (neko)[inputs]: Replace httpd with ...
[native-inputs]: ... httpd/pinned.
[arguments]: Forbid keeping a reference to httpd/pinned.
---
gnu/packages/haxe.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/haxe.scm b/gnu/packages/haxe.scm
index dbe8b2c19e..44ba33abd1 100644
--- a/gnu/packages/haxe.scm
+++ b/gnu/packages/haxe.scm
@@ -66,7 +66,8 @@ (define-public neko
(base32 "1xgw646pghsjjbzd8qlaq17vq96swlrazpivrvyrhdj36vb3sci3"))))
(build-system cmake-build-system)
(arguments
- (list #:phases
+ (list #:disallowed-references (list httpd/pinned)
+ #:phases
#~(modify-phases %standard-phases
(add-after 'unpack 'prefix
(lambda _
@@ -76,7 +77,6 @@ (define-public neko
(inputs (list apr
apr-util
gtk+-2
- httpd
libgc
mbedtls-apache
mysql
@@ -84,7 +84,9 @@ (define-public neko
pcre
sqlite
zlib))
- (native-inputs (list git pkg-config)) ; git for source_archive and applying patch
+ (native-inputs (list httpd/pinned
+ git ; git for source_archive and applying patch
+ pkg-config))
(home-page "https://nekovm.org/")
(synopsis "High-level dynamically typed programming language and virtual
machine")
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 4/5] gnu: 389-ds-base: Build with httpd/pinned.
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned Leo Famulari
@ 2023-04-23 17:11 ` Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 5/5] gnu: mod-wsgi: " Leo Famulari
3 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw)
To: 63038
* gnu/packages/openldap.scm (389-ds-base)[inputs]: Replace httpd with ...
[native-inputs]: ... httpd/pinned.
[arguments]: Forbid keeping a reference to httpd/pinned.
---
gnu/packages/openldap.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 3f3015bd80..2d3a6d6274 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -268,6 +268,7 @@ (define-public 389-ds-base
(guix build utils))
#:imported-modules `((guix build python-build-system)
,@%gnu-build-system-modules)
+ #:disallowed-references (list httpd/pinned)
#:configure-flags
#~(list "--enable-cmocka"
(string-append "--with-db="
@@ -357,7 +358,6 @@ (define-public 389-ds-base
cracklib
cyrus-sasl
gnutls
- httpd
icu4c
iproute
json-c
@@ -388,6 +388,7 @@ (define-public 389-ds-base
cmocka
doxygen
gettext-minimal
+ httpd/pinned
libtool
rsync
pkg-config))
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 5/5] gnu: mod-wsgi: Build with httpd/pinned.
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
` (2 preceding siblings ...)
2023-04-23 17:11 ` [bug#63038] [PATCH 4/5] gnu: 389-ds-base: " Leo Famulari
@ 2023-04-23 17:11 ` Leo Famulari
3 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw)
To: 63038
* gnu/packages/web.scm (mod-wsgi)[inputs]: Replace httpd with ...
[native-inputs]: ... httpd/pinned.
[arguments]: Forbid keeping a reference to httpd/pinned.
---
gnu/packages/web.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index c8a1d0123e..07b567e0d1 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -335,14 +335,16 @@ (define-public mod-wsgi
"1savh6h3qds20mwn1nqasmqzcp57pdhfc9v4b4k78d6q28y0r17s"))))
(build-system gnu-build-system)
(arguments
- '(#:tests? #f ; TODO: can't figure out if there are tests
+ `(#:disallowed-references (,httpd/pinned)
+ #:tests? #f ; TODO: can't figure out if there are tests
#:make-flags (list
(string-append "DESTDIR="
(assoc-ref %outputs "out"))
"LIBEXECDIR=/modules")))
+ (native-inputs
+ `(("httpd" ,httpd/pinned)))
(inputs
- `(("httpd" ,httpd)
- ("python" ,python-wrapper)))
+ `(("python" ,python-wrapper)))
(synopsis "Apache HTTPD module for Python WSGI applications")
(description
"The mod_wsgi module for the Apache HTTPD Server adds support for running
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* bug#63038: Apache HTTPD security update 2.4.57
2023-04-23 17:09 [bug#63038] Apache HTTPD security update 2.4.57 Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
@ 2023-04-30 8:49 ` Leo Famulari
1 sibling, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2023-04-30 8:49 UTC (permalink / raw)
To: 63038-done
Pushed as 3b3c7ef1f74d15471da482ca9b3720020c9f85f1
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-04-30 8:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-23 17:09 [bug#63038] Apache HTTPD security update 2.4.57 Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 4/5] gnu: 389-ds-base: " Leo Famulari
2023-04-23 17:11 ` [bug#63038] [PATCH 5/5] gnu: mod-wsgi: " Leo Famulari
2023-04-30 8:49 ` bug#63038: Apache HTTPD security update 2.4.57 Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).