* [bug#63038] Apache HTTPD security update 2.4.57 @ 2023-04-23 17:09 Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari 2023-04-30 8:49 ` bug#63038: Apache HTTPD security update 2.4.57 Leo Famulari 0 siblings, 2 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-23 17:09 UTC (permalink / raw) To: 63038 Here are patches to update HTTPD to the latest upstream release, 2.4.57. These patches also remove a bunch of spurious dependencies on the primary httpd package by creating a pinned variant. With these changes, we'll be able to update HTTPD freely without triggering thousands of rebuilds. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes]. 2023-04-23 17:09 [bug#63038] Apache HTTPD security update 2.4.57 Leo Famulari @ 2023-04-23 17:11 ` Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari ` (3 more replies) 2023-04-30 8:49 ` bug#63038: Apache HTTPD security update 2.4.57 Leo Famulari 1 sibling, 4 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw) To: 63038 Fixes CVE-2023-27522, CVE-2023-25690, CVE-2022-37436, CVE-2022-36760, CVE-2006-20001, CVE-2022-31813, CVE-2022-30556, CVE-2022-30522, CVE-2022-29404, CVE-2022-28615, CVE-2022-28614, CVE-2022-28330, CVE-2022-26377, CVE-2022-23943, CVE-2022-22721, CVE-2022-22720, and CVE-2022-22719. * gnu/packages/web.scm (httpd): Update to 2.4.57. (httpd/pinned): New variable. * gnu/packages/gnome.scm (libsoup-minimal): Replace httpd with httpd/pinned. --- gnu/packages/gnome.scm | 2 +- gnu/packages/web.scm | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 2cb087c987..49c678b2eb 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -5241,7 +5241,7 @@ (define-public libsoup-minimal vala curl gnutls ;for 'certtool' - httpd)) + httpd/pinned)) (propagated-inputs ;; libsoup-3.0.pc refers to all of these (except where otherwise noted) (list brotli diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 6fa3067bbe..c8a1d0123e 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -273,14 +273,14 @@ (define-public qhttp (define-public httpd (package (name "httpd") - (version "2.4.52") + (version "2.4.57") (source (origin (method url-fetch) (uri (string-append "mirror://apache/httpd/httpd-" version ".tar.bz2")) (sha256 (base32 - "1jgmfbazc2n9dnl7axhahwppyq25bvbvwx0lqplq76by97fgf9q1")))) + "0ajdz5f2w9nbmqydip2mv9m4xlnc4swmw7mqzgnrbq4mxr5bik6v")))) (build-system gnu-build-system) (native-inputs (list `(,pcre "bin"))) ;for 'pcre-config' (inputs (list apr apr-util openssl perl)) ; needed to run bin/apxs @@ -305,6 +305,21 @@ (define-public httpd (license license:asl2.0) (home-page "https://httpd.apache.org/"))) +;; A package variant that may be out of date and vulnerable. Only for use in +;; test suites and should never be referred to by a built package. +(define-public httpd/pinned + (hidden-package + (package + (inherit httpd) + (version "2.4.52") + (source (origin + (method url-fetch) + (uri (string-append "mirror://apache/httpd/httpd-" + version ".tar.bz2")) + (sha256 + (base32 + "1jgmfbazc2n9dnl7axhahwppyq25bvbvwx0lqplq76by97fgf9q1"))))))) + (define-public mod-wsgi (package (name "mod-wsgi") -- 2.39.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key. 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari @ 2023-04-23 17:11 ` Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned Leo Famulari ` (2 subsequent siblings) 3 siblings, 0 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw) To: 63038 * guix/build-system/cmake.scm (cmake-build, cmake-cross-build): Add #:disallowed-references. --- guix/build-system/cmake.scm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/guix/build-system/cmake.scm b/guix/build-system/cmake.scm index 09e3ac85db..ed979b9c6b 100644 --- a/guix/build-system/cmake.scm +++ b/guix/build-system/cmake.scm @@ -116,7 +116,8 @@ (define* (cmake-build name inputs (substitutable? #t) (imported-modules %cmake-build-system-modules) (modules '((guix build cmake-build-system) - (guix build utils)))) + (guix build utils))) + disallowed-references) "Build SOURCE using CMAKE, and with INPUTS. This assumes that SOURCE provides a 'CMakeLists.txt' file as its build system." (define build @@ -158,6 +159,7 @@ (define build #:target #f #:graft? #f #:substitutable? substitutable? + #:disallowed-references disallowed-references #:guile-for-build guile))) \f @@ -193,7 +195,8 @@ (define* (cmake-cross-build name (build (nix-system->gnu-triplet system)) (imported-modules %cmake-build-system-modules) (modules '((guix build cmake-build-system) - (guix build utils)))) + (guix build utils))) + disallowed-references) "Cross-build NAME using CMAKE for TARGET, where TARGET is a GNU triplet and with INPUTS. This assumes that SOURCE provides a 'CMakeLists.txt' file as its build system." -- 2.39.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned. 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari @ 2023-04-23 17:11 ` Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 4/5] gnu: 389-ds-base: " Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 5/5] gnu: mod-wsgi: " Leo Famulari 3 siblings, 0 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw) To: 63038 * gnu/packages/haxe.scm (neko)[inputs]: Replace httpd with ... [native-inputs]: ... httpd/pinned. [arguments]: Forbid keeping a reference to httpd/pinned. --- gnu/packages/haxe.scm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/gnu/packages/haxe.scm b/gnu/packages/haxe.scm index dbe8b2c19e..44ba33abd1 100644 --- a/gnu/packages/haxe.scm +++ b/gnu/packages/haxe.scm @@ -66,7 +66,8 @@ (define-public neko (base32 "1xgw646pghsjjbzd8qlaq17vq96swlrazpivrvyrhdj36vb3sci3")))) (build-system cmake-build-system) (arguments - (list #:phases + (list #:disallowed-references (list httpd/pinned) + #:phases #~(modify-phases %standard-phases (add-after 'unpack 'prefix (lambda _ @@ -76,7 +77,6 @@ (define-public neko (inputs (list apr apr-util gtk+-2 - httpd libgc mbedtls-apache mysql @@ -84,7 +84,9 @@ (define-public neko pcre sqlite zlib)) - (native-inputs (list git pkg-config)) ; git for source_archive and applying patch + (native-inputs (list httpd/pinned + git ; git for source_archive and applying patch + pkg-config)) (home-page "https://nekovm.org/") (synopsis "High-level dynamically typed programming language and virtual machine") -- 2.39.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 4/5] gnu: 389-ds-base: Build with httpd/pinned. 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned Leo Famulari @ 2023-04-23 17:11 ` Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 5/5] gnu: mod-wsgi: " Leo Famulari 3 siblings, 0 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw) To: 63038 * gnu/packages/openldap.scm (389-ds-base)[inputs]: Replace httpd with ... [native-inputs]: ... httpd/pinned. [arguments]: Forbid keeping a reference to httpd/pinned. --- gnu/packages/openldap.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm index 3f3015bd80..2d3a6d6274 100644 --- a/gnu/packages/openldap.scm +++ b/gnu/packages/openldap.scm @@ -268,6 +268,7 @@ (define-public 389-ds-base (guix build utils)) #:imported-modules `((guix build python-build-system) ,@%gnu-build-system-modules) + #:disallowed-references (list httpd/pinned) #:configure-flags #~(list "--enable-cmocka" (string-append "--with-db=" @@ -357,7 +358,6 @@ (define-public 389-ds-base cracklib cyrus-sasl gnutls - httpd icu4c iproute json-c @@ -388,6 +388,7 @@ (define-public 389-ds-base cmocka doxygen gettext-minimal + httpd/pinned libtool rsync pkg-config)) -- 2.39.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [bug#63038] [PATCH 5/5] gnu: mod-wsgi: Build with httpd/pinned. 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari ` (2 preceding siblings ...) 2023-04-23 17:11 ` [bug#63038] [PATCH 4/5] gnu: 389-ds-base: " Leo Famulari @ 2023-04-23 17:11 ` Leo Famulari 3 siblings, 0 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-23 17:11 UTC (permalink / raw) To: 63038 * gnu/packages/web.scm (mod-wsgi)[inputs]: Replace httpd with ... [native-inputs]: ... httpd/pinned. [arguments]: Forbid keeping a reference to httpd/pinned. --- gnu/packages/web.scm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index c8a1d0123e..07b567e0d1 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -335,14 +335,16 @@ (define-public mod-wsgi "1savh6h3qds20mwn1nqasmqzcp57pdhfc9v4b4k78d6q28y0r17s")))) (build-system gnu-build-system) (arguments - '(#:tests? #f ; TODO: can't figure out if there are tests + `(#:disallowed-references (,httpd/pinned) + #:tests? #f ; TODO: can't figure out if there are tests #:make-flags (list (string-append "DESTDIR=" (assoc-ref %outputs "out")) "LIBEXECDIR=/modules"))) + (native-inputs + `(("httpd" ,httpd/pinned))) (inputs - `(("httpd" ,httpd) - ("python" ,python-wrapper))) + `(("python" ,python-wrapper))) (synopsis "Apache HTTPD module for Python WSGI applications") (description "The mod_wsgi module for the Apache HTTPD Server adds support for running -- 2.39.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* bug#63038: Apache HTTPD security update 2.4.57 2023-04-23 17:09 [bug#63038] Apache HTTPD security update 2.4.57 Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari @ 2023-04-30 8:49 ` Leo Famulari 1 sibling, 0 replies; 7+ messages in thread From: Leo Famulari @ 2023-04-30 8:49 UTC (permalink / raw) To: 63038-done Pushed as 3b3c7ef1f74d15471da482ca9b3720020c9f85f1 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-04-30 8:50 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-04-23 17:09 [bug#63038] Apache HTTPD security update 2.4.57 Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 1/5] gnu: httpd: Update to 2.4.57 [security fixes] Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 2/5] build-system/cmake: Add support for the #:disallowed-references key Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 3/5] gnu: neko: Build with httpd/pinned Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 4/5] gnu: 389-ds-base: " Leo Famulari 2023-04-23 17:11 ` [bug#63038] [PATCH 5/5] gnu: mod-wsgi: " Leo Famulari 2023-04-30 8:49 ` bug#63038: Apache HTTPD security update 2.4.57 Leo Famulari
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.