The https://www.hiawatha-webserver.org/ site is defunct. So move SRC_URI to use
https://hiawatha.leisink.net/ instead. Update to 11.0 while we are here.
Changelog: https://hiawatha.leisink.net/changelog
mbed TLS updated to 3.0.0.
Dropped support for TLSv1.0 and TLSv1.1. Configuration option MinTLSversion removed.
Dropped support for HTTP Public Key Pinning (HPKP). Configuration option PublicKeyPins removed.
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Set pam module path to ${base_libdir}/security as this is the default
path in libpam.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This CVE is officially disputed by Redhat with official statement in
https://nvd.nist.gov/vuln/detail/CVE-2007-0086
Red Hat does not consider this issue to be a security vulnerability.
The pottential attacker has to send acknowledgement packets periodically
to make server generate traffic. Exactly the same effect could be
achieved by simply downloading the file. The statement that setting the
TCP window size to arbitrarily high value would permit the attacker to
disconnect and stop sending ACKs is false, because Red Hat Enterprise
Linux limits the size of the TCP send buffer to 4MB by default.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is gentoo specific CVE.
NVD tracks this as version-less CVE.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These were not updated on recipe upgrade.
To make maintenance easier, remove exact versions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These CVEs are specific to Debian and MAC OS X respectively.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Added a PACKAGECONFIG to select the version of the WebUI to be installed.
When not set, all versions (v0, v1 and v2) will be installed. What is the
default of Netdata.
Enabling only the v1 version makes the package 25% smaller.
More info: https://github.com/netdata/netdata/issues/15640#issuecomment-1946041083
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* 0001-Add-check-for-64bit-builtin-atomics.patch applied upstream
* removed not longer used systemd service file
The service of the netdata is used in previous commit(s)
* oelint_adv issues solved
Changlog: https://github.com/netdata/netdata/blob/master/CHANGELOG.md#v1475-2024-10-24
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
New recipe with the static version of the Swagger UI.
This is *not* a NPM version of the website (swagger-ui, swagger-ui-dist, swagger-ui-react).
But the static release.
Plain old HTML/CSS/JS (Standalone)
The folder /dist includes all the HTML, CSS and JS files needed to run SwaggerUI on a static website or CMS, without requiring NPM.
Download the latest release.
Copy the contents of the /dist folder to your server.
Open swagger-initializer.js in your text editor and replace "https://petstore.swagger.io/v2/swagger.json" with the URL for your OpenAPI 3.0 spec.
-- https://github.com/swagger-api/swagger-ui/blob/HEAD/docs/usage/installation.md#plain-old-htmlcssjs-standalone
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add the runtime dependency Virtual/docker need when the package config
Docker is enabled. This avoids do_rootfs installs issues.
Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As mentioned in the Netdata documentation [1], The xenstat plugin
requires elevated privileges to be executed. The xenstat.plugin
permissions are modified to only allow users belonging to the netdata
group to execute the plugin with root privileges.
[1] https://learn.netdata.cloud/docs/collecting-metrics/containers-and-vms/xen-xcp-ng
Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Modification of the group for the apps.plugin file (from root to
netdata) and removal of execution authorization for the “others”.
This modification improves security by limiting the netdata group to
execute the plugin as root.
Signed-off-by: Tanguy Raufflet <tanguy.raufflet@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit modifies the PACKAGECONFIG entry for zlib to ensure that the
mod_deflate module is enabled with the appropriate zlib configuration.
By adding the --with-zlib=${STAGING_LIBDIR}/../ option, we direct the
configure script to use the zlib library from the staging directory
instead of relying on the host system's zlib installation.
Without that configure will search the host for zlib headers and lib.
This change resolves build failures related to zlib dependency when
mod_deflate is enabled and ensures a consistent build environment across
different host configurations.
Signed-off-by: Valeria Petrov <valeria.petrov@spinetix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Many netdata plugins are written in go, add a PACKAGECONFIG to enable
them.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Our provided netdata.conf contained a lot of keys which are no longer
supported by netdata. Netdata allows to regenerate the configuration
file and present all possible keys with their default values. This
refreshed file will be more easy to configure by our users.
To generate this file, I basically ran the documented command and
replaced the file paths with our variables when applicable.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Netdata now provides its own systemd service files. They provide better
hardening than the one we were defining in the recipe.
Unfortunately, the CMakeLists.txt file wants to install them into /lib
rather than /usr/lib. I added mv commands to put them in the expected
location depending on usrmerge.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Some netdata plugins like cgroups or docker require permissions to
access the docker socket in order to label data properly.
Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe depends on meta-python2, master branch of which has not
been updated sine February 2022, see
https://git.openembedded.org/meta-python2/log/?h=master
Also, https://cherokee-project.com/doc/basics_requirements.html states
The main Python releases targeted by our developers are 2.4, 2.5 and 2.6.
Anything other than that is not guaranteed to work at the moment.
Also, master branch of cherokee has not been updated since January
2023, see https://github.com/cherokee/webserver/commits/master/
Thus, remove the obsolete recipe and the associated packagegroup
reference.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
commit f6d27810b4f48562a06ce5006b1559378f30c99c
Author: Jason Schonberg <schonm@gmail.com>
Date: Mon Aug 19 00:26:48 2024 -0400
Changelog:
https://webmin.com/changelog/webmin-2.202-released/
Modified net-generic.patch to update a hardcoded version number to avoid
patch fuzz.
webmin: upgrade 2.111 -> 2.202
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fastcgi, scgi and uwsgi are enabled by default in nginx. Provide an
option to disable these features (that reduces binary size by 8%).
Signed-off-by: Maxin John <maxin.john@gehealthcare.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Busybox can optionally provide an httpd server, but by default The Yocto
Project defconfig for busybox does not enable it. If it is enabled,
busybox puts the resulting /usr/sbin/httpd object under the control of
update-alternatives.
apache2, on the other hand, does not put /usr/sbin/httpd under the control
of update-alternatives. Therefore, in the off chance a user enables the
busybox httpd server, it does not play well with apache2.
Add update-alternatives information to apache2 so that it plays nicely with
busybox which can optionally provide an httpd server at /usr/sbin/httpd.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update CVE status for: CVE-1999-0289, CVE-2007-0450, CVE-2010-0425
The current version (2.4.6) is not affected. It only applies for Windows.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Current version (1.6.9) is not affected. Issue was addressed in version 1.3.0
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite
Other Changes between 2.4.59 -> 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update status for:
CVE-2007-6421, CVE-2007-6422, CVE-2007-6423, CVE-2008-2168
CPE is incorrect, the current version (2.4.59) is not affected.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
