lp:ubuntu/dapper-security/lighttpd

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

16. By Emanuele Gentili on 2008-03-11

* SECURITY UPDATE: (LP: #200987)
 + debian/patches/91_CVE-2008-1270.dpatch
  - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
    uses a default of $HOME, which might allow remote attackers to read arbitrary
    files, as demonstrated by accessing the ~nobody directory.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
 + http://trac.lighttpd.net/trac/ticket/1587
 + http://trac.lighttpd.net/trac/changeset/2120

15. By Emanuele Gentili on 2008-03-05

* SECURITY UPDATE:
 + debian/patches/91_CVE-2008-1111.dpatch:
  - Fixes CVE-2008-1111
    "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
    source code of CGI scripts instead of a 500 error, which might allow
    remote attackers to obtain sensitive information." (LP: #198731)
* References
 + http://trac.lighttpd.net/trac/changeset/2107
 + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

14. By Emanuele Gentili on 2008-02-25

* SECURITY UPDATE:
  + debian/patches/90_maxfds_crash_fix.dpatch:
    - added patch from upstream to fix the maxfds issue (LP: #195380)
* References
  + http://trac.lighttpd.net/trac/ticket/1562

13. By Jamie Strandboge on 2007-09-08

* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
  (backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
  possible dereferencing a NULL pointer in buffer.c (both backported from
  upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
  improper handling of content length in HTTP headers. Patch from upstream
* References
  https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
  https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
  http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
  CVE-2007-4727

12. By Áron Sisak on 2007-08-08

* SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
  various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
  (LP:#127718)
* debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch:
  - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
* debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch:
  - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt,
      http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt,
      http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt,
      http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch
* debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch:
  - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch
* debian/patches/09_security_lighttpd-1.4.x_connections.dpatch:
  - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
    - Description: http://secunia.com/cve_reference/CVE-2007-3948/
    - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
* debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch
  - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
    - Description: http://secunia.com/cve_reference/CVE-2007-3950/
    - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
* References:
  - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it
  - External references: http://secunia.com/advisories/26130/

11. By Scott Kitterman on 2007-04-24

* Added relevant security fix from 1.4.14 (Closes LP: #107628)
  - DOS with files with mtime 0 (CVE-2007-1870)
     security_zero_mtime_crash
* Change maintainer to MOTU

10. By Chuck Short on 2006-05-10

* debian/control
  + Added depends on libterm-readline-perl-perl. (Closes: Malone #43895)

9. By Adam Conrad on 2006-04-06

Rebuild against the new libmysqlclient15off with correct symbols.

8. By Sebastian Dröge on 2006-03-27

* Sync with Debian:
  + Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be
    re-enabled for dapper+1

7. By Sebastian Dröge on 2006-03-20

* Sync with Debian
* UVF exception:
  https://launchpad.net/distros/ubuntu/+source/lighttpd/+bug/35353
* Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be
  re-enabled for dapper+1