Author: Artur Rona
Revision Date: 2015-01-26 02:36:43 UTC

* Merge from Debian unstable. Remaining changes:
  - debian/patches/add-lighttpd.pc-configure.patch:
    + Add lighttpd.pc to ac_config_files to fix FTBFS: make[3]:
      *** No rule to make target `lighttpd.pc', needed by `all-am'.
  - debian/patches/build-dev-package.patch,
    debian/control, debian/lighttpd-dev.install:
    + Add lighttpd-dev package.
  - debian/index.html:
    + Corrected BTS Ubuntu link and branding on the default page.
  - debian/lighttpd.conf:
    + Comment 'use-ipv6.pl' by default, which causes failure
      to bind port in ipv4.
  - debian/control:
    + Build-Depends on libgamin-dev rather than libfam-dev
      to fix startup warning.
  - debian/rules:
    + Add override_dh_installinit to set "defaults 91 09" to not
      start before apache2 but in the same runlevel with
      the same priority.
  - debian/lighttpd.dirs, debian/control, debian/rules,
    debian/lighttpd.ufw.profile:
    + Add the UFW profile.

Author: Artur Rona
Revision Date: 2015-01-26 02:36:43 UTC

* Merge from Debian unstable. Remaining changes:
  - debian/patches/add-lighttpd.pc-configure.patch:
    + Add lighttpd.pc to ac_config_files to fix FTBFS: make[3]:
      *** No rule to make target `lighttpd.pc', needed by `all-am'.
  - debian/patches/build-dev-package.patch,
    debian/control, debian/lighttpd-dev.install:
    + Add lighttpd-dev package.
  - debian/index.html:
    + Corrected BTS Ubuntu link and branding on the default page.
  - debian/lighttpd.conf:
    + Comment 'use-ipv6.pl' by default, which causes failure
      to bind port in ipv4.
  - debian/control:
    + Build-Depends on libgamin-dev rather than libfam-dev
      to fix startup warning.
  - debian/rules:
    + Add override_dh_installinit to set "defaults 91 09" to not
      start before apache2 but in the same runlevel with
      the same priority.
  - debian/lighttpd.dirs, debian/control, debian/rules,
    debian/lighttpd.ufw.profile:
    + Add the UFW profile.

Author: Artur Rona
Revision Date: 2015-01-26 02:36:43 UTC

* Merge from Debian unstable. Remaining changes:
  - debian/patches/add-lighttpd.pc-configure.patch:
    + Add lighttpd.pc to ac_config_files to fix FTBFS: make[3]:
      *** No rule to make target `lighttpd.pc', needed by `all-am'.
  - debian/patches/build-dev-package.patch,
    debian/control, debian/lighttpd-dev.install:
    + Add lighttpd-dev package.
  - debian/index.html:
    + Corrected BTS Ubuntu link and branding on the default page.
  - debian/lighttpd.conf:
    + Comment 'use-ipv6.pl' by default, which causes failure
      to bind port in ipv4.
  - debian/control:
    + Build-Depends on libgamin-dev rather than libfam-dev
      to fix startup warning.
  - debian/rules:
    + Add override_dh_installinit to set "defaults 91 09" to not
      start before apache2 but in the same runlevel with
      the same priority.
  - debian/lighttpd.dirs, debian/control, debian/rules,
    debian/lighttpd.ufw.profile:
    + Add the UFW profile.

Author: Andreas Moog
Revision Date: 2014-01-28 18:08:02 UTC

* Use dh-autoreconf to regenerate autotools files, fixes FTBFS with
  automake 1.14.1 (Closes: #726934)
* Add lighttpd.pc to ac_config_files to fix FTBFS:
  make[3]: *** No rule to make target `lighttpd.pc', needed by `all-am'.

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:28 UTC

* debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in
  src/http_auth.c:67 (LP: #906792)
  - CVE-2011-4362

Author: Andreas Moog
Revision Date: 2014-01-28 18:08:02 UTC

* Use dh-autoreconf to regenerate autotools files, fixes FTBFS with
  automake 1.14.1 (Closes: #726934)
* Add lighttpd.pc to ac_config_files to fix FTBFS:
  make[3]: *** No rule to make target `lighttpd.pc', needed by `all-am'.

Author: Andreas Moog
Revision Date: 2014-01-28 18:08:02 UTC

* Use dh-autoreconf to regenerate autotools files, fixes FTBFS with
  automake 1.14.1 (Closes: #726934)
* Add lighttpd.pc to ac_config_files to fix FTBFS:
  make[3]: *** No rule to make target `lighttpd.pc', needed by `all-am'.

Author: Colin Watson
Revision Date: 2013-10-15 11:01:00 UTC

Use the autotools-dev dh addon to update config.guess/config.sub for
arm64.

Author: Colin Watson
Revision Date: 2013-10-15 11:01:00 UTC

Use the autotools-dev dh addon to update config.guess/config.sub for
arm64.

Author: Lorenzo De Liso
Revision Date: 2013-03-25 11:55:53 UTC

* Import change from debian version 1.4.31-4:
  - CVE-2013-1427: Switch the socket path for PHP when using FASTCGI. /tmp
    is world-writable which may cause security implications if an attacker
    manages to control /tmp/php.socket before the web server (re-)starts.

Author: Lorenzo De Liso
Revision Date: 2013-03-25 11:55:53 UTC

* Import change from debian version 1.4.31-4:
  - CVE-2013-1427: Switch the socket path for PHP when using FASTCGI. /tmp
    is world-writable which may cause security implications if an attacker
    manages to control /tmp/php.socket before the web server (re-)starts.

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:28 UTC

* debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in
  src/http_auth.c:67 (LP: #906792)
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:32 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:23 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:26 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:30 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:32 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:30 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:26 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:29:23 UTC

* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
  (LP: #906792)
  - debian/patches/CVE-2011-4362.patch: patch derived from upstream
  - CVE-2011-4362

Author: Ilya Barygin
Revision Date: 2011-08-20 21:08:28 UTC

No-change rebuild for openssl0.9.8 -> openssl1.0.0 transition.

Author: Bhavani Shankar
Revision Date: 2010-11-21 07:14:27 UTC

* Merge from debian unstable. Remaining changes:
  - debian/control:
    + libgamin-dev rather than libfam-dev to fix startup warning.
    + debhelper Build-depends bumped to (>= 7.0.50) for
      overrides in rules file.
  - debian/index.html: s/Debian/Ubuntu/g branding on the default page.
  - Added a UFW profile set:
    + debian/lighttpd.dirs: added etc/ufw/applications.d
    + debian/rules: install the ufw profile.
    + debian/control: Suggests on ufw.
  - Add lighttpd-dev package:
    + debian/control: Added lighttpd-dev package; Build-depends on
      automake, libtool
    + debian/lighttpd-dev.install: Added.
  - debian/rules:
    + Add override_dh_installinit to set "defaults 91 09" to not start
      before apache2 but in the same runlevel with the same priority.
  - debian/patches/build-dev-package.patch: Updated
  - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes
    failure to bind port in ipv4 (LP: #551211)

Author: David Sugar
Revision Date: 2010-07-15 17:50:35 UTC

syntax_check function defined in init script. (LP: #600767)

Author: Chuck Short
Revision Date: 2010-04-06 06:12:07 UTC

debian/control: Rebuild for libmysqlclient transition.

Author: Daniel Hahler
Revision Date: 2009-03-17 22:36:05 UTC

* debian/index.html: do not point to edge.launchpad.net
  (LP: #302845)
* Fix documentation reference to virtual hosting by referring
  to mod_simple_vhost (LP: #247271)
  - debian/patches/fix-conf-doc.patch

Author: Andres Rodriguez
Revision Date: 2008-07-25 11:47:48 UTC

* debian/control: Depend on lsb >= 3.2-14, which has the
  status_of_proc() function.
* debian/init.d: Add the 'status' action (LP: #251924).

Author: Emanuele Gentili
Revision Date: 2008-04-06 00:09:12 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/92_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Soren Hansen
Revision Date: 2007-09-12 14:02:31 UTC

* Merge from Debian unstable, remaining changes:
  - Update maintainer field in debian/control.
  - Build against libgamin-dev rather than libfam-dev (fixes a warning
    during startup)
  - Make sure that upgrades succeed, even if we can't restart lighttpd.
  - Clean environment in init.d script.

Author: Lukas Fittl
Revision Date: 2007-04-14 05:26:10 UTC

* Added LDAP connection leak fix from Debian (Bug: #413917)
  - debian/patches/03_ldap_leak_bugfix.dpatch
* Added security fixes from 1.4.14 (Closes LP: #106416)
  - Remote DOS in CRLF parsing (CVE-2007-1869)
     debian/patches/04_security_crlf_parsing_dos.dpatch
  - DOS with files with mtime 0 (CVE-2007-1870)
     debian/patches/05_security_zero_mtime_crash.dpatch

Author: Lukas Fittl
Revision Date: 2006-10-10 13:57:38 UTC

* Merge from Debian unstable (Closes: Malone #64900). Remaining changes:
  - Add an additional dependency on libterm-readline-perl-perl
    (Malone #43895)

Author: Chuck Short
Revision Date: 2006-05-10 18:11:24 UTC

* debian/control
  + Added depends on libterm-readline-perl-perl. (Closes: Malone #43895)

Author: João Pinto
Revision Date: 2009-10-10 00:08:19 UTC

Fix FTBFS, replaced automake with automake1.10 on Build-Depends
(LP #447672)

Author: Marcin Gibula
Revision Date: 2009-03-04 13:42:05 UTC

* SECURITY UPDATE: (LP: #279490)
 + debian/patches/93_CVE-2008-4298.dpatch
  - Fix memory leak in request header handling
 + debian/patches/95_CVE-2008-4360.dpatch
  - Fix mod_userdir information disclosure
* References
 + https://bugs.launchpad.net/bugs/cve/2008-4298
 + https://bugs.launchpad.net/bugs/cve/2008-4360

Author: Emanuele Gentili
Revision Date: 2008-04-06 03:39:14 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Marcin Gibula
Revision Date: 2009-03-04 13:42:05 UTC

* SECURITY UPDATE: (LP: #279490)
 + debian/patches/93_CVE-2008-4298.dpatch
  - Fix memory leak in request header handling
 + debian/patches/95_CVE-2008-4360.dpatch
  - Fix mod_userdir information disclosure
* References
 + https://bugs.launchpad.net/bugs/cve/2008-4298
 + https://bugs.launchpad.net/bugs/cve/2008-4360

Author: Emanuele Gentili
Revision Date: 2008-04-06 23:55:30 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Emanuele Gentili
Revision Date: 2008-04-07 19:45:59 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Emanuele Gentili
Revision Date: 2008-04-06 03:39:14 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Emanuele Gentili
Revision Date: 2008-04-06 23:55:30 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Emanuele Gentili
Revision Date: 2008-03-11 15:03:17 UTC

* SECURITY UPDATE: (LP: #200987)
 + debian/patches/91_CVE-2008-1270.dpatch
  - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
    uses a default of $HOME, which might allow remote attackers to read arbitrary
    files, as demonstrated by accessing the ~nobody directory.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
 + http://trac.lighttpd.net/trac/ticket/1587
 + http://trac.lighttpd.net/trac/changeset/2120

Author: Emanuele Gentili
Revision Date: 2008-04-07 19:45:59 UTC

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

Author: Emanuele Gentili
Revision Date: 2008-03-11 15:03:17 UTC

* SECURITY UPDATE: (LP: #200987)
 + debian/patches/91_CVE-2008-1270.dpatch
  - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
    uses a default of $HOME, which might allow remote attackers to read arbitrary
    files, as demonstrated by accessing the ~nobody directory.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
 + http://trac.lighttpd.net/trac/ticket/1587
 + http://trac.lighttpd.net/trac/changeset/2120

Author: Scott Kitterman
Revision Date: 2007-04-24 12:04:01 UTC

* Added relevant security fix from 1.4.14 (Closes LP: #107628)
  - DOS with files with mtime 0 (CVE-2007-1870)
     security_zero_mtime_crash