mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
5049433d91
For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.58 Excerpt from changelog: "Changes with Apache 2.4.58 *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York) *) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon)" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
123 lines
5.4 KiB
Plaintext
123 lines
5.4 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 2.4.58
|
|
|
|
THISAPP = httpd-$(VER)
|
|
DL_FILE = $(THISAPP).tar.bz2
|
|
DL_FROM = $(URL_IPFIRE)
|
|
|
|
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
|
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
DEPS = aprutil pcre
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_BLAKE2 = 2105b8fada99f1dda55201ed89ed5326f0edb078d352cbff44f02cde80d129b65b63e07366a9a744ba474be5687fa8d3d2d8ddc64ac914b47166607f3f4a9de2
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
b2 : $(subst %,%_BLAKE2,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, b2sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_BLAKE2,$(objects)) :
|
|
@$(B2SUM)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
|
|
### Add IPFire's layout, too
|
|
echo "# IPFire layout" >> $(DIR_APP)/config.layout
|
|
echo "<Layout IPFire>" >> $(DIR_APP)/config.layout
|
|
echo " prefix: /usr" >> $(DIR_APP)/config.layout
|
|
echo " exec_prefix: /usr" >> $(DIR_APP)/config.layout
|
|
echo " bindir: /usr/bin" >> $(DIR_APP)/config.layout
|
|
echo " sbindir: /usr/sbin" >> $(DIR_APP)/config.layout
|
|
echo " libdir: /usr/lib" >> $(DIR_APP)/config.layout
|
|
echo " libexecdir: /usr/lib/apache" >> $(DIR_APP)/config.layout
|
|
echo " mandir: /usr/share/man" >> $(DIR_APP)/config.layout
|
|
echo " sysconfdir: /etc/httpd/conf" >> $(DIR_APP)/config.layout
|
|
echo " datadir: /srv/web/ipfire" >> $(DIR_APP)/config.layout
|
|
echo " installbuilddir: /usr/lib/apache/build" >> $(DIR_APP)/config.layout
|
|
echo " errordir: /srv/web/ipfire/error" >> $(DIR_APP)/config.layout
|
|
echo " iconsdir: /srv/web/ipfire/icons" >> $(DIR_APP)/config.layout
|
|
echo " htdocsdir: /srv/web/ipfire/htdocs" >> $(DIR_APP)/config.layout
|
|
echo " manualdir: /srv/web/ipfire/manual" >> $(DIR_APP)/config.layout
|
|
echo " cgidir: /srv/web/ipfire/cgi-bin" >> $(DIR_APP)/config.layout
|
|
echo " includedir: /usr/include/apache" >> $(DIR_APP)/config.layout
|
|
echo " localstatedir: /srv/web/ipfire" >> $(DIR_APP)/config.layout
|
|
echo " runtimedir: /var/run" >> $(DIR_APP)/config.layout
|
|
echo " logfiledir: /var/log/httpd" >> $(DIR_APP)/config.layout
|
|
echo " proxycachedir: /var/cache/apache/proxy" >> $(DIR_APP)/config.layout
|
|
echo "</Layout>" >> $(DIR_APP)/config.layout
|
|
|
|
cd $(DIR_APP) && ./configure --enable-layout=IPFire \
|
|
--enable-ssl --enable-mods-shared=all --enable-proxy --with-mpm=event --disable-lua --disable-md
|
|
cd $(DIR_APP) && make $(MAKETUNING)
|
|
cd $(DIR_APP) && make install
|
|
chown -v root:root /usr/lib/apache/httpd.exp \
|
|
/usr/bin/{apxs,dbmmanage} \
|
|
/usr/sbin/apachectl \
|
|
/usr/share/man/man1/{ab,apxs,dbmmanage,ht{dbm,digest,passwd,txt2dbm},logresolve}.1 \
|
|
/usr/share/man/man8/{apachectl,htcacheclean,httpd}.8 \
|
|
/usr/share/man/man8/{rotatelogs,suexec}.8
|
|
|
|
# Install apache config
|
|
cp -rf $(DIR_CONF)/httpd/* /etc/httpd/conf
|
|
touch /etc/httpd/conf/hostname.conf
|
|
|
|
# Create captive logging directory
|
|
-mkdir -pv /var/log/httpd/captive
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|