From patchwork Wed Oct 6 01:05:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 33635 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 2983F27BBE3; Wed, 6 Oct 2021 02:06:17 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,T_DKIM_INVALID, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CF81727BBE1 for ; Wed, 6 Oct 2021 02:06:16 +0100 (BST) Received: from localhost ([::1]:47506 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mXvNv-0005HH-KT for patchwork@mira.cbaines.net; Tue, 05 Oct 2021 21:06:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48624) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXvNj-0005Gt-Tb for guix-patches@gnu.org; Tue, 05 Oct 2021 21:06:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58844) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mXvNi-0002tJ-Kz for guix-patches@gnu.org; Tue, 05 Oct 2021 21:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mXvNi-0006Yt-D9 for guix-patches@gnu.org; Tue, 05 Oct 2021 21:06:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#51050] [PATCH] gnu: Apache httpd: Update to 2.4.50 [Fixes CVE-2021-{41524, 41773}]. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 06 Oct 2021 01:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 51050 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 51050@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.163348233525187 (code B ref -1); Wed, 06 Oct 2021 01:06:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Oct 2021 01:05:35 +0000 Received: from localhost ([127.0.0.1]:42157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXvNH-0006YB-Mi for submit@debbugs.gnu.org; Tue, 05 Oct 2021 21:05:35 -0400 Received: from lists.gnu.org ([209.51.188.17]:50882) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXvNG-0006Y3-3f for submit@debbugs.gnu.org; Tue, 05 Oct 2021 21:05:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48544) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXvND-0005F2-Ik for guix-patches@gnu.org; Tue, 05 Oct 2021 21:05:33 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:49203) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXvN9-0002HV-Iv for guix-patches@gnu.org; Tue, 05 Oct 2021 21:05:31 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 721D93201D2F; Tue, 5 Oct 2021 21:05:20 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Tue, 05 Oct 2021 21:05:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=xon4ks8p1pdh13d79bdMvMX 9VE3qqcHiU7KLKAeZaWc=; b=BakvTkhoovGQxluxsKXzty6T0lYzhBO3d279kl0 4Z9DLoqWHcvcY95iFHPq/Hj4irP04XfryzH4SjJdAdwVD0XDHeOXnMVjjmOKlcPQ ZWbo6xDV1pDcxJfolNzhQXh7IdRMF75H8hSdZqj8aESh3T8w0iwxQ74+lqpm+gJ2 /wr8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=xon4ks8p1pdh13d79 bdMvMX9VE3qqcHiU7KLKAeZaWc=; b=hpv/fh+B7iO1LLrFMRxqqB/j0awlyBDpw c8IA+e0jK+qEqFGBHxWsFpD4EFouj6T59mUPpLBqG0hhQujUb5oCMkLhLKIX1NFB RY6EdF4+sAyRFR7e1MQI2QvQn9q0p0lv85iHE2k9jUbYwQkOCzr9tXnpyMez850p fKg8D3ytIJoyboFxgvSb6uxr7PByj/KDA3JYWcPdEuZ1CiA/asQzPDayy75emMfa SA7DTdUoohp8BYCW3zsOh7h8p6Slz2xC3FQYlBiPKIe3pKtROdNchbI6mBrVeZ06 rkPkz4E70xf6Pyj1Eoe51McugOaImMWGB+hoi6vOezd7RBcS2c9rQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudelhedggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre dttdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepgfetveduueehgeejkeekffeljeffkefgue ffteehveettddvhfeileelieegjefgnecuffhomhgrihhnpegrphgrtghhvgdrohhrghen ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghose hfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Tue, 5 Oct 2021 21:05:19 -0400 (EDT) From: Leo Famulari Date: Tue, 5 Oct 2021 21:05:16 -0400 Message-Id: X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 Received-SPF: pass client-ip=64.147.123.21; envelope-from=leo@famulari.name; helo=wout5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches This update includes an important fix for an actively exploited path traversal vulnerability (CVE-2021-41773), which allows attackers to access files outside the "document root": https://httpd.apache.org/security/vulnerabilities_24.html * gnu/packages/web.scm (httpd): Update to 2.4.50. --- gnu/packages/web.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 0ea362c452..5819973c66 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -252,14 +252,14 @@ (define-public httpd (package (name "httpd") - (version "2.4.49") + (version "2.4.50") (source (origin (method url-fetch) (uri (string-append "mirror://apache/httpd/httpd-" version ".tar.bz2")) (sha256 (base32 - "0fqkfjcpdd40ji2279wfxh5hddb5jdxlnpjr0sbhva8fi7b6bfb5")))) + "03w9nc7v0rqljxazikbrlgbw7lq72i8n7n9ynlp6h1n6f301fa3a")))) (build-system gnu-build-system) (native-inputs `(("pcre" ,pcre "bin"))) ;for 'pcre-config' (inputs `(("apr" ,apr)