wok annotate lighttpd-ssl/receipt @ rev 17237
postfix, apache lighttpd-ssl, nginx: CVE-2014-3566
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sat Oct 18 14:11:33 2014 +0200 (2014-10-18) |
| parents | e6759743694c |
| children | 4da6b4009226 |
| rev | line source |
|---|---|
| pascal@1787 | 1 # SliTaz package receipt. |
| pascal@1787 | 2 |
| pascal@1787 | 3 PACKAGE="lighttpd-ssl" |
| pascal@15579 | 4 VERSION="1.4.33" |
| pascal@1787 | 5 CATEGORY="network" |
| pascal@1787 | 6 SHORT_DESC="Fast and light HTTP Web server with SSL support." |
| pascal@1787 | 7 MAINTAINER="pankso@slitaz.org" |
| pascal@15379 | 8 LICENSE="BSD" |
| pascal@1787 | 9 SUGGESTED="lighttpd-modules php perl python" |
| pascal@1787 | 10 SOURCE="lighttpd" |
| pascal@15579 | 11 TARBALL="$SOURCE-$VERSION.tar.xz" |
| pascal@1787 | 12 WEB_SITE="http://www.lighttpd.net/" |
| pascal@4576 | 13 WGET_URL="http://download.lighttpd.net/lighttpd/releases-1.4.x/$TARBALL" |
| slaxemulator@8894 | 14 CONFIG_FILES="/etc/lighttpd/vhosts.conf /etc/lighttpd/lighttpd.conf /etc/ssl/lighttpd" |
| pascal@1787 | 15 PROVIDE="lighttpd" |
| pankso@16000 | 16 HOST_ARCH="i486 arm" |
| pankso@15992 | 17 |
| pankso@15992 | 18 DEPENDS="pcre openssl" |
| pankso@15992 | 19 BUILD_DEPENDS="pcre-dev bzip2-dev openssl-dev" |
| pankso@15992 | 20 |
| pascal@1787 | 21 BASE_MODULES=" |
| pascal@1787 | 22 access |
| pascal@1787 | 23 accesslog |
| pascal@1787 | 24 alias |
| pascal@1787 | 25 cgi |
| pascal@1787 | 26 dirlisting |
| pascal@1787 | 27 indexfile |
| pascal@1787 | 28 staticfile |
| pascal@1787 | 29 rewrite |
| pascal@1787 | 30 status |
| pascal@1787 | 31 userdir" |
| pascal@1787 | 32 |
| pascal@1787 | 33 # Rules to configure and make the package. |
| pascal@1787 | 34 compile_rules() |
| pascal@1787 | 35 { |
| pascal@1787 | 36 cd $src |
| pascal@15579 | 37 sed -i '/addrs_left/d' src/mod_extforward.c |
| pascal@1787 | 38 ./configure \ |
| pascal@1787 | 39 --enable-shared \ |
| pascal@1787 | 40 --disable-ipv6 \ |
| pascal@1787 | 41 --with-openssl \ |
| pascal@1787 | 42 --prefix=/usr \ |
| pascal@1787 | 43 --libdir=/usr/lib/lighttpd \ |
| pascal@1787 | 44 --mandir=/usr/share/man \ |
| pascal@1787 | 45 $CONFIGURE_ARGS && |
| pascal@1787 | 46 make && |
| pascal@15579 | 47 make DESTDIR=$DESTDIR install |
| pascal@1787 | 48 } |
| pascal@1787 | 49 |
| pascal@1787 | 50 # Rules to gen a SliTaz package suitable for Tazpkg. |
| pascal@1787 | 51 # On SliTaz Lighttpd runs as user/group : www/www or 80/80. |
| pascal@1787 | 52 genpkg_rules() |
| pascal@1787 | 53 { |
| pascal@1787 | 54 mkdir -p $fs/usr |
| pascal@15579 | 55 #cp -a $install/usr/bin $fs/usr |
| pascal@15579 | 56 cp -a $install/usr/sbin $fs/usr |
| pankso@4572 | 57 |
| pascal@1787 | 58 # Modules. |
| pascal@1787 | 59 mkdir -p $fs/usr/lib/lighttpd |
| pascal@1787 | 60 for module in $BASE_MODULES |
| pascal@1787 | 61 do |
| pascal@15579 | 62 cp $install/usr/lib/lighttpd/mod_${module}.so $fs/usr/lib/lighttpd |
| pascal@1787 | 63 echo -n "Copying : mod_${module}.so" && status |
| pascal@1787 | 64 done |
| pankso@4572 | 65 |
| pascal@1787 | 66 # Server root and config file. |
| slaxemulator@8652 | 67 cp -a $WOK/$SOURCE/stuff/var $fs |
| slaxemulator@8652 | 68 cp -a $WOK/$SOURCE/stuff/etc $fs |
| pascal@1787 | 69 chown -R 0.0 $fs/var/www |
| pascal@1787 | 70 chown -R 0.0 $fs/etc |
| pascal@1790 | 71 mkdir -p $fs/etc/ssl/lighttpd |
| pascal@1790 | 72 cat >> $fs/etc/lighttpd/lighttpd.conf <<EOT |
| pascal@1789 | 73 |
| pascal@1789 | 74 # Enable HTTPS support |
| pascal@1789 | 75 # |
| pascal@1791 | 76 \$SERVER["socket"] == ":443" { |
| pascal@1789 | 77 protocol = "https://" |
| pascal@1789 | 78 ssl.engine = "enable" |
| pascal@17237 | 79 # Unsafe, see CVE-2014-3566 POODLE |
| pascal@17237 | 80 ssl.use-sslv2 = "disable" |
| pascal@17237 | 81 ssl.use-sslv3 = "disable" |
| pascal@1789 | 82 ssl.pemfile = "/etc/ssl/lighttpd/lighttpd.pem" |
| pascal@1789 | 83 } |
| pascal@1789 | 84 EOT |
| pankso@4572 | 85 |
| pascal@1787 | 86 # Logs directory. |
| pascal@1787 | 87 mkdir -p $fs/var/log/lighttpd |
| pascal@1787 | 88 chown 80.80 $fs/var/log/lighttpd |
| pascal@1787 | 89 } |
| pascal@1787 | 90 |
| pankso@15992 | 91 # Make sur it as cross compile properly |
| pankso@15992 | 92 testsuite() |
| pankso@15992 | 93 { |
| pankso@15992 | 94 readelf -h $install/usr/sbin/lighttpd |
| pankso@15992 | 95 } |
| pankso@15992 | 96 |
| pascal@1787 | 97 # Pre and post install commands for Tazpkg. |
| pascal@1787 | 98 # We stop the server by default in case of upgarde. |
| pascal@1787 | 99 pre_install() |
| pascal@1787 | 100 { |
| pascal@1787 | 101 echo "Processing pre-install commands..." |
| pascal@1788 | 102 [ -f /etc/init.d/lighttpd ] && /etc/init.d/lighttpd stop |
| pascal@1787 | 103 } |
| pascal@1906 | 104 |
| pascal@1787 | 105 post_install() |
| pascal@1787 | 106 { |
| pascal@1787 | 107 echo "Processing post-install commands..." |
| pascal@1789 | 108 if [ ! -f $1/etc/ssl/lighttpd/lighttpd.pem ]; then |
| pascal@1789 | 109 openssl req -new -x509 \ |
| pascal@1789 | 110 -keyout $1/etc/ssl/lighttpd/lighttpd.pem \ |
| pascal@1789 | 111 -out $1/etc/ssl/lighttpd/lighttpd.pem \ |
| pascal@1906 | 112 -days 3650 -nodes <<EOT |
| pascal@1789 | 113 $(. /etc/locale.conf ; echo ${LANG#*_}) |
| pascal@1789 | 114 $(cat /etc/TZ) |
| pascal@1789 | 115 |
| pascal@1789 | 116 $(cat /etc/hostname) |
| pascal@1789 | 117 |
| pascal@1789 | 118 |
| pascal@1789 | 119 |
| pascal@1789 | 120 EOT |
| pascal@1789 | 121 fi |
| pascal@1787 | 122 # Just in case. |
| pascal@1905 | 123 chown www.www $1/var/log/lighttpd |
| pascal@1905 | 124 if [ -z "$1" ]; then |
| pascal@1905 | 125 for i in apache ; do |
| pascal@1905 | 126 [ -f /etc/init.d/$i ] && /etc/init.d/$i stop |
| pascal@1905 | 127 done |
| erjo@2620 | 128 /etc/init.d/lighttpd start |
| pascal@1905 | 129 fi |
| pascal@1787 | 130 } |