From b140ffec25508b15927c6b4eba30b2225a82a91d Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 21 Jan 2022 09:05:07 -0500 Subject: www-servers/lighttpd: Version bump (v1.4.64) * use pcre2 instead of pcre * remove long-deprecated modules and obsolete dependencies * update configs to use mod_deflate (subsumed mod_compress) * CVE-2022-22707 https://bugs.gentoo.org/830691 Closes: https://bugs.gentoo.org/820755 Signed-off-by: Glenn Strauss Signed-off-by: Sam James --- www-servers/lighttpd/Manifest | 1 + www-servers/lighttpd/files/conf/lighttpd.conf-r1 | 309 +++++++++++++++++++++++ www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild | 236 +++++++++++++++++ www-servers/lighttpd/metadata.xml | 2 + 4 files changed, 548 insertions(+) create mode 100644 www-servers/lighttpd/files/conf/lighttpd.conf-r1 create mode 100644 www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild (limited to 'www-servers/lighttpd') diff --git a/www-servers/lighttpd/Manifest b/www-servers/lighttpd/Manifest index 545b25d8c85c..ec36ebba44a4 100644 --- a/www-servers/lighttpd/Manifest +++ b/www-servers/lighttpd/Manifest @@ -1,3 +1,4 @@ DIST lighttpd-1.4.55.tar.xz 765660 BLAKE2B 7b972de86e7d1a51438718e4d5bd49188c107b0f2e656ead597085ae84f3d41cdb662a7774c6655155d390c26f3e4f0b0dc4243c85cb0255a91d8ca57742f402 SHA512 023d5a54079e710a89a59e259c0b5798103ef6fce4544c36110dc4c5281ef429ef99369923d74123fcf8be37afe622d44cd7149078d21971ff26f3f4ee37c439 DIST lighttpd-1.4.58.tar.xz 956828 BLAKE2B b8b0a111db64a8af429dd9922503991e55276808b58143ffce3268bc8b20a39cfec9d8c1e2917b34326ac5502801a6ca3b9bae26874f86b6749c363a09225ca3 SHA512 b7f18223e46bf78f866eb22f44a7702df07424271e085da9f0d03e626198c30e87a3959536d02e3588aa47ba4bc7db7c432307175fb3b25a2984f9cf692c0ca4 DIST lighttpd-1.4.59.tar.xz 968352 BLAKE2B 8997386be24d9d84fa8012aedd8ac97b3ad4fd19bb756163d3e9b8c6984c740475c6db2810817db9d1a246320bcd81f7ab35847707316454523c614a4485299f SHA512 94d312f6ac65c32057018b749c4865220b43b3e4b7fe9396848aa403ea7fdc2ccbf3f4f91daf281b754cf272a52a8bcdc689502773ea33cae36eead2785daa0f +DIST lighttpd-1.4.64.tar.xz 1011436 BLAKE2B 7eea665f20a07ced23e7372515b5e44852ea14e4ac83297ed9f764106b69e7931d84bf5d1c6d5f542ef810021ef94398a89bc3161213f8bdfaba3676e0a687ca SHA512 8e2ad0830ff80fcebf0c33600caafb5ab4e9ff6b5073c12572f88a44fdfe85f777fa8b22b2fc2964fecbeb556997ad660867dcee80efb224d63329c8b18ea936 diff --git a/www-servers/lighttpd/files/conf/lighttpd.conf-r1 b/www-servers/lighttpd/files/conf/lighttpd.conf-r1 new file mode 100644 index 000000000000..1017098caa4f --- /dev/null +++ b/www-servers/lighttpd/files/conf/lighttpd.conf-r1 @@ -0,0 +1,309 @@ +############################################################################### +# Default lighttpd.conf for Gentoo. +############################################################################### + +# {{{ variables +var.basedir = "/var/www/localhost" +var.logdir = "/var/log/lighttpd" +var.statedir = "/var/lib/lighttpd" +# }}} + +# {{{ modules +# At the very least, mod_access and mod_accesslog should be enabled. +# All other modules should only be loaded if necessary. +# NOTE: the order of modules is important. +server.modules = ( +# "mod_rewrite", +# "mod_redirect", +# "mod_alias", + "mod_access", +# "mod_magnet", +# "mod_auth", +# "mod_status", +# "mod_setenv", +# "mod_proxy", +# "mod_simple_vhost", +# "mod_evhost", +# "mod_userdir", +# "mod_deflate", +# "mod_ssi", +# "mod_usertrack", +# "mod_expire", +# "mod_secdownload", +# "mod_rrdtool", +# "mod_webdav", + "mod_accesslog" +) +# }}} + +# {{{ includes +include "mime-types.conf" +# fcgi and cgi are included below +# }}} + +# {{{ server settings +server.username = "lighttpd" +server.groupname = "lighttpd" + +server.document-root = var.basedir + "/htdocs" +server.pid-file = "/run/lighttpd.pid" + +server.errorlog = var.logdir + "/error.log" +# log errors to syslog instead +# server.errorlog-use-syslog = "enable" + +server.indexfiles = ("index.php", "index.html", + "index.htm", "default.htm") + +# server.tag = "lighttpd" + +server.follow-symlink = "enable" + +# event handler (defaults to "poll") +# see performance.txt +# +# for >= linux-2.4 +# server.event-handler = "linux-rtsig" +# for >= linux-2.6 +# server.event-handler = "linux-sysepoll" +# for FreeBSD +# server.event-handler = "freebsd-kqueue" + +# chroot to directory (defaults to no chroot) +# server.chroot = "/" + +# bind to port (defaults to 80) +# server.port = 81 + +# bind to name (defaults to all interfaces) +# server.bind = "grisu.home.kneschke.de" + +# error-handler for status 404 +# server.error-handler-404 = "/error-handler.html" +# server.error-handler-404 = "/error-handler.php" + +# Format: .html +# -> ..../status-404.html for 'File not found' +# server.errorfile-prefix = var.basedir + "/error/status-" + +# FAM support for caching stat() calls +# requires that lighttpd be built with USE=fam +# server.stat-cache-engine = "fam" + +# If lighttpd was build with IPv6 support, and you would like to listen on IPv6, +# uncomment the following: +# server.use-ipv6 = "enable" + +# }}} + +# {{{ mod_staticfile + +# which extensions should not be handled via static-file transfer +# (extensions that are usually handled by mod_cgi, mod_fastcgi, etc). +static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi") +# }}} + +# {{{ mod_accesslog +accesslog.filename = var.logdir + "/access.log" +# }}} + +# {{{ mod_dirlisting +# enable directory listings +# dir-listing.activate = "enable" +# +# don't list hidden files/directories +# dir-listing.hide-dotfiles = "enable" +# +# use a different css for directory listings +# dir-listing.external-css = "/path/to/dir-listing.css" +# +# list of regular expressions. files that match any of the +# specified regular expressions will be excluded from directory +# listings. +# dir-listing.exclude = ("^\.", "~$") +# }}} + +# {{{ mod_access +# see access.txt + +url.access-deny = ("~", ".inc") +# }}} + +# {{{ mod_userdir +# see userdir.txt +# +# userdir.path = "public_html" +# userdir.exclude-user = ("root") +# }}} + +# {{{ mod_ssi +# see ssi.txt +# +# ssi.extension = (".shtml") +# }}} + +# {{{ mod_ssl +# see ssl.txt +# +# ssl.engine = "enable" +# ssl.pemfile = "server.pem" +# }}} + +# {{{ mod_status +# see status.txt +# +# status.status-url = "/server-status" +# status.config-url = "/server-config" +# }}} + +# {{{ mod_simple_vhost +# see simple-vhost.txt +# +# If you want name-based virtual hosting add the next three settings and load +# mod_simple_vhost +# +# document-root = +# virtual-server-root + virtual-server-default-host + virtual-server-docroot +# or +# virtual-server-root + http-host + virtual-server-docroot +# +# simple-vhost.server-root = "/home/weigon/wwwroot/servers/" +# simple-vhost.default-host = "grisu.home.kneschke.de" +# simple-vhost.document-root = "/pages/" +# }}} + +# {{{ mod_deflate +# see compress.txt +# +# deflate.cache-dir = var.statedir + "/cache/compress" +# deflate.mimetypes = ("text/plain", "text/html") +# }}} + +# {{{ mod_proxy +# see proxy.txt +# +# proxy.server = ( ".php" => +# ( "localhost" => +# ( +# "host" => "192.168.0.101", +# "port" => 80 +# ) +# ) +# ) +# }}} + +# {{{ mod_auth +# see authentication.txt +# +# auth.backend = "plain" +# auth.backend.plain.userfile = "lighttpd.user" +# auth.backend.plain.groupfile = "lighttpd.group" + +# auth.backend.ldap.hostname = "localhost" +# auth.backend.ldap.base-dn = "dc=my-domain,dc=com" +# auth.backend.ldap.filter = "(uid=$)" + +# auth.require = ( "/server-status" => +# ( +# "method" => "digest", +# "realm" => "download archiv", +# "require" => "user=jan" +# ), +# "/server-info" => +# ( +# "method" => "digest", +# "realm" => "download archiv", +# "require" => "valid-user" +# ) +# ) +# }}} + +# {{{ mod_rewrite +# see rewrite.txt +# +# url.rewrite = ( +# "^/$" => "/server-status" +# ) +# }}} + +# {{{ mod_redirect +# see redirect.txt +# +# url.redirect = ( +# "^/wishlist/(.+)" => "http://www.123.org/$1" +# ) +# }}} + +# {{{ mod_evhost +# define a pattern for the host url finding +# %% => % sign +# %0 => domain name + tld +# %1 => tld +# %2 => domain name without tld +# %3 => subdomain 1 name +# %4 => subdomain 2 name +# +# evhost.path-pattern = "/home/storage/dev/www/%3/htdocs/" +# }}} + +# {{{ mod_expire +# expire.url = ( +# "/buggy/" => "access 2 hours", +# "/asdhas/" => "access plus 1 seconds 2 minutes" +# ) +# }}} + +# {{{ mod_rrdtool +# see rrdtool.txt +# +# rrdtool.binary = "/usr/bin/rrdtool" +# rrdtool.db-name = var.statedir + "/lighttpd.rrd" +# }}} + +# {{{ mod_setenv +# see setenv.txt +# +# setenv.add-request-header = ( "TRAV_ENV" => "mysql://user@host/db" ) +# setenv.add-response-header = ( "X-Secret-Message" => "42" ) +# }}} + +# {{{ mod_webdav +# see webdav.txt +# +# $HTTP["url"] =~ "^/dav($|/)" { +# webdav.activate = "enable" +# webdav.is-readonly = "enable" +# } +# }}} + +# {{{ extra rules +# +# set Content-Encoding and reset Content-Type for browsers that +# support decompressing on-thy-fly (requires mod_setenv) +# $HTTP["url"] =~ "\.gz$" { +# setenv.add-response-header = ("Content-Encoding" => "x-gzip") +# mimetype.assign = (".gz" => "text/plain") +# } + +# $HTTP["url"] =~ "\.bz2$" { +# setenv.add-response-header = ("Content-Encoding" => "x-bzip2") +# mimetype.assign = (".bz2" => "text/plain") +# } +# +# }}} + +# {{{ debug +# debug.log-request-header = "enable" +# debug.log-response-header = "enable" +# debug.log-request-handling = "enable" +# debug.log-file-not-found = "enable" +# }}} + +# {{{ cgi includes +# uncomment for cgi support +# include "mod_cgi.conf" +# uncomment for php/fastcgi support +# include "mod_fastcgi.conf" +# }}} + +# vim: set ft=conf foldmethod=marker et : diff --git a/www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild b/www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild new file mode 100644 index 000000000000..0dadbae5b17a --- /dev/null +++ b/www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild @@ -0,0 +1,236 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +LUA_COMPAT=( lua5-{1..4} ) + +inherit autotools lua-single readme.gentoo-r1 systemd tmpfiles toolchain-funcs + +DESCRIPTION="Lightweight high-performance web server" +HOMEPAGE="https://www.lighttpd.net https://github.com/lighttpd" +SRC_URI="https://download.lighttpd.net/lighttpd/releases-1.4.x/${P}.tar.xz" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="+brotli dbi doc gnutls ipv6 kerberos ldap +lua maxminddb mbedtls mmap mysql +nettle nss +pcre php postgres rrdtool sasl selinux ssl sqlite +system-xxhash test unwind webdav xattr +zlib zstd" +RESTRICT="!test? ( test )" + +REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} ) + mysql? ( dbi ) + postgres? ( dbi ) + sqlite? ( dbi ) + webdav? ( sqlite ) +" + +COMMON_DEPEND=" + acct-group/lighttpd + acct-user/lighttpd + virtual/libcrypt:= + brotli? ( app-arch/brotli ) + dbi? ( + dev-db/libdbi + mysql? ( dev-db/libdbi-drivers[mysql] ) + postgres? ( dev-db/libdbi-drivers[postgres] ) + sqlite? ( dev-db/libdbi-drivers[sqlite] ) + ) + gnutls? ( net-libs/gnutls ) + kerberos? ( virtual/krb5 ) + ldap? ( >=net-nds/openldap-2.1.26 ) + lua? ( ${LUA_DEPS} ) + maxminddb? ( dev-libs/libmaxminddb ) + mbedtls? ( net-libs/mbedtls ) + nettle? ( dev-libs/nettle ) + nss? ( dev-libs/nss ) + pcre? ( dev-libs/libpcre2 ) + php? ( dev-lang/php:*[cgi] ) + rrdtool? ( net-analyzer/rrdtool ) + sasl? ( dev-libs/cyrus-sasl ) + ssl? ( >=dev-libs/openssl-0.9.7:0= ) + system-xxhash? ( dev-libs/xxhash ) + unwind? ( sys-libs/libunwind ) + webdav? ( + dev-libs/libxml2 + sys-fs/e2fsprogs + ) + xattr? ( kernel_linux? ( sys-apps/attr ) ) + zlib? ( >=sys-libs/zlib-1.1 ) + zstd? ( app-arch/zstd )" + +BDEPEND=" + virtual/pkgconfig + doc? ( dev-python/docutils ) + test? ( + virtual/perl-Test-Harness + )" + +DEPEND="${COMMON_DEPEND}" + +RDEPEND="${COMMON_DEPEND} + selinux? ( sec-policy/selinux-apache ) +" + +# update certain parts of lighttpd.conf based on conditionals +update_config() { + local config="${D}/etc/lighttpd/lighttpd.conf" + + # enable php/mod_fastcgi settings + if use php; then sed -i -e 's|#.*\(include.*fastcgi.*$\)|\1|' ${config} || die; fi + + # automatically listen on IPv6 if built with USE=ipv6. Bug #234987 + if use ipv6; then sed -i -e 's|# server.use-ipv6|server.use-ipv6|' ${config} || die; fi +} + +pkg_setup() { + if use lua; then + lua-single_pkg_setup + fi + + if ! use pcre ; then + ewarn "It is highly recommended that you build ${PN}" + ewarn "with perl regular expressions support via USE=pcre." + ewarn "Otherwise you lose support for some core options such" + ewarn "as conditionals and modules such as mod_re{write,direct}." + fi + + DOC_CONTENTS="IPv6 migration guide:\n + http://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config" +} + +src_prepare() { + default + # dev-python/docutils installs rst2html.py not rst2html + sed -i -e 's|\(rst2html\)|\1.py|g' doc/outdated/Makefile.am || \ + die "sed doc/Makefile.am failed" + eautoreconf +} + +src_configure() { + # The lua bit requires a bit of explanation. The lighttpd autoconf script + # handles the value passed to --with-lua as follows: + # - "no" - do nothing + # - "yes" - query pkgconfig for VERSIONED lua packages, starting with 5.3 + # and going down; only if lua5.1 cannot be found plain "lua" is tried + # - any other value is passed to pkgconfig as the exact package name to use. + # We want a specific implementation to be used even if a newer one is present + # in the system so we use the latter mode. + econf \ + CC_FOR_BUILD=$(tc-getBUILD_CC) \ + --libdir=/usr/$(get_libdir)/${PN} \ + --enable-lfs \ + $(use_enable ipv6) \ + $(use_enable mmap) \ + $(use_with brotli) \ + $(use_with dbi) \ + $(use_with gnutls ) \ + $(use_with kerberos krb5) \ + $(use_with ldap) \ + $(use_with lua lua ${ELUA}) \ + $(use_with maxminddb) \ + $(use_with mbedtls) \ + $(use_with nettle) \ + $(use_with nss) \ + $(use_with pcre pcre2) \ + $(use_with sasl) \ + $(use_with ssl openssl) \ + $(use_with system-xxhash) \ + $(use_with webdav webdav-props) \ + $(use_with webdav webdav-locks) \ + $(use_with xattr attr) \ + $(use_with zlib) \ + $(use_with zstd) \ + $(use_with unwind) +} + +src_compile() { + emake + + if use doc ; then + einfo "Building HTML documentation" + cd doc || die + emake html + fi +} + +src_test() { + if [[ ${EUID} -eq 0 ]]; then + default_src_test + else + ewarn "test skipped, please re-run as root if you wish to test ${PN}" + fi +} + +src_install() { + default + + find "${D}" -name '*.la' -delete || die + + # init script stuff + newinitd "${FILESDIR}"/lighttpd.initd lighttpd + newconfd "${FILESDIR}"/lighttpd.confd lighttpd + + # configs + insinto /etc/lighttpd + newins "${FILESDIR}"/conf/lighttpd.conf-r1 lighttpd.conf + doins "${FILESDIR}"/conf/mime-types.conf + doins "${FILESDIR}"/conf/mod_cgi.conf + doins "${FILESDIR}"/conf/mod_fastcgi.conf + + # update lighttpd.conf directives based on conditionals + update_config + + # docs + dodoc AUTHORS README NEWS doc/scripts/*.sh + newdoc doc/config//lighttpd.conf lighttpd.conf.distrib + if use ipv6; then readme.gentoo_create_doc; fi + + if use doc; then dodoc -r doc; fi + + docinto txt + dodoc doc/outdated/*.txt + + # logrotate + insinto /etc/logrotate.d + newins "${FILESDIR}"/lighttpd.logrotate-r1 lighttpd + + keepdir /var/l{ib,og}/lighttpd /var/www/localhost/htdocs + fowners lighttpd:lighttpd /var/l{ib,og}/lighttpd + fperms 0750 /var/l{ib,og}/lighttpd + + systemd_dounit "${FILESDIR}/${PN}.service" + newtmpfiles "${FILESDIR}/${PN}.tmpfiles.conf" "${PN}.conf" +} + +pkg_postinst() { + tmpfiles_process ${PN}.conf + + if use ipv6; then readme.gentoo_print_elog; fi + + if [[ -f ${ROOT}/etc/lighttpd.conf ]] ; then + elog + elog "Gentoo has a customized configuration," + elog "which is now located in ${EROOT}/etc/lighttpd. Please migrate your" + elog "existing configuration." + fi + + if use brotli || use zstd || use zlib; then + elog + elog "Remember to clean your cache directory when using" + elog "output compression!" + elog "https://wiki.lighttpd.net/Docs_ModDeflate" + fi + + if use mysql; then + elog + elog "Note that upstream has moved away from using mysql directly" + elog "via mod_mysql and is now accessing it through mod_dbi. You" + elog "may need to update your configuration" + fi + + elog + elog "Upstream has deprecated a number of features. They are not missing" + elog "but have been migrated to other mechanisms. Please see upstream" + elog "changelog for details." + elog "https://www.lighttpd.net/2022/1/19/1.4.64/" +} diff --git a/www-servers/lighttpd/metadata.xml b/www-servers/lighttpd/metadata.xml index 25fe93ef41cd..4fa39ff0178f 100644 --- a/www-servers/lighttpd/metadata.xml +++ b/www-servers/lighttpd/metadata.xml @@ -25,8 +25,10 @@ Add support for geolocation using libMaxMindDB Build module for TLS via Mbed TLS Use mmap with files owned by lighttpd. This is a dangerous option as it may allow local users to trigger SIGBUS crashes. + Use dev-libs/nettle as crypto backend Build module for TLS via Mozilla's Network Security Services Enable rrdtool support via mod_rrdtool + Use system provided libxxhash Enable webdav properties Enable output compression via gzip or deflate algorithms Enable output compression via Zstandard algorithm -- cgit v1.2.3-65-gdbad