Dependencies for plugin authn_gssapi, authn_ldap, authn_pam, authn_dbi
and authn_sasl are not correctly written.
This cause lighttpd package to always compile krb5-libs, libopenldap and
libpam, even if not selected
Before the fix:
grep -e libpam -e krb5-libs -e libopenldap .config
\# CONFIG_PACKAGE_libpam is not set
\# CONFIG_PACKAGE_libopenldap is not set
\# CONFIG_PACKAGE_krb5-libs is not set
make | grep -e libpam -e krb5 -e ldap
make[3] -C feeds/packages/net/krb5 compile
make[3] -C feeds/packages/libs/libpam compile
make[3] -C feeds/packages/libs/openldap compile
With the fix:
make | grep -e libpam -e krb5 -e ldap
"nothing compiled"
Check that fix works when mod-authn tokens are
selected (select lighttpd-mod-authn_xxx):
grep lighttpd-mod-authn .config
CONFIG_PACKAGE_lighttpd-mod-authn_file=y
CONFIG_PACKAGE_lighttpd-mod-authn_gssapi=m
CONFIG_PACKAGE_lighttpd-mod-authn_ldap=m
CONFIG_PACKAGE_lighttpd-mod-authn_pam=y
make | grep -e libpam -e krb5 -e ldap
make[3] -C feeds/packages/net/krb5 compile
make[3] -C feeds/packages/libs/libpam compile
make[3] -C feeds/packages/libs/openldap compile
x-ref:
"lighttpd: Malformed dependencies cause unselected packages to be compiled"
https://github.com/openwrt/packages/pull/28157
github: closes#28157
Signed-off-by: Alarcon Laurent <laurent.alarcon@sagemcom.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Obsolete use of $(SDK) in configure conditionals can result in
dependency errors when building a subset of packages for packages which
have multiple sub-packages.
The reason it causes dependency issues is that (using libdbi-drivers as
an example) lines like:
ifneq ($(SDK)$(CONFIG_PACKAGE_libdbd-sqlite3),)
always evaluate to true if you are compiling in the SDK. So for a user
compiling from the SDK, the configure arguments are always added to the package build.
In the case of libdbi-drivers:
CONFIGURE_ARGS += \
--with-sqlite3 \
--with-sqlite3-incdir=$(STAGING_DIR)/usr/include \
-with-sqlite3-libdir=$(STAGING_DIR)/usr/lib
is always added even if PACKAGE_libdbd-sqlite3 is deselected. When
libdbd-sqlite3 is deselected, this dependency:
DEPENDS:=libdbi +libsqlite3
is not present, so when configure tries to find sqlite3 it fails.
Closes#28173 "tree-wide: obsolete $(SDK) in conditionals"
See also:
* "include: remove SDK exception from package install targets"
openwrt/openwrt@28f44a4
Performed tree-wide to ease revert if necessary, per:
https://github.com/openwrt/packages/issues/28173#issuecomment-3694615980
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
This change will provide the necessary dependency resolution, fixing:
Package lighttpd is missing dependencies for the following libraries:
libcrypto.so.3
Fixes: #23794
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Currently, it is not feasible to configure lighttpd to use OpenSSL as
its internal crypto library. Instead, one must rely on alternative
crypto libraries such as Nettle or mbedTLS. This setup is not ideal in
scenarios where a single crypto library is preferred. To address this
issue, lets propose introducing OpenSSL as an additional configuration
option. Similarly, propose GnuTLS as additional configuration option.
Closes: #24004
Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
wolfssl has been the base TLS library in openwrt since 21.02
mbedtls will once again be the base TLS library in openwrt 23.??
Default to mbedtls for digest functions in lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
The next version of lighttpd will move HTTP/2 support from the lighttpd
base executable into a separate module: mod_h2
Include patch to do so now, and update packaging to handle it.
HTTP/2 support is enabled by default since lighttpd 1.4.59, but if
HTTP/2 support is explicitly disabled in the configuration, then mod_h2
will not be loaded, thereby reducing lighttpd memory use.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
wolfssl has been a base TLS library in openwrt since 21.02
Default to wolfssl instead of Nettle for digest functions in lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
add lighttpd-mod-webdav_min package alternative to lighttpd-mod-webdav
lighttpd-mod-webdav_min is more minimal than full lighttpd-mod-webdav.
lighttpd-mod-webdav_min does not support PROPPATCH, LOCK, UNLOCK, and
by not supporting those methods, removes dependencies on libxml2,
libsqlite3, and libuuid.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
modify build command for meson type: feature options
remove -Dwith_libev=disabled (option no longer has any effect)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
depend on libpcre2 instead of libpcre
also remove patches incorporated upstream into lighttpd 1.4.62
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
