lp:ubuntu/dapper-security/lighttpd
- Get this branch:
- bzr branch lp:ubuntu/dapper-security/lighttpd
Branch merges
Branch information
Recent revisions
- 16. By Emanuele Gentili
-
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/ 91_CVE- 2008-1270. dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist. gov/nvd. cfm?cvename= CVE-2008- 1270
+ http://trac.lighttpd. net/trac/ ticket/ 1587
+ http://trac.lighttpd. net/trac/ changeset/ 2120 - 15. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ 91_CVE- 2008-1111. dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd. net/trac/ changeset/ 2107
+ http://www.cve. mitre.org/ cgi-bin/ cvename. cgi?name= 2008-1111 - 14. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ 90_maxfds_ crash_fix. dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd. net/trac/ ticket/ 1562 - 13. By Jamie Strandboge
-
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad .net/ubuntu/ +source/ lighttpd/ +bug/138309
https://bugs.launchpad .net/ubuntu/ +source/ lighttpd/ +bug/138310
http://www.lighttpd. net/assets/ 2007/9/ 9/lighttpd_ sa_2007_ 12.txt
CVE-2007-4727 - 12. By Áron Sisak
-
* SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
(LP:#127718)
* debian/patches/ 06_security_ lighttpd- 1.4.x_duplicate d_headers_ with_folding_ crash.dpatch:
- Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 03.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_duplicate d_headers_ with_folding_ crash.patch
* debian/patches/ 07_security_ lighttpd- 1.4.x_mod_ auth_sec. dpatch:
- Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 04.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 05.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 06.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 07.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_mod_ auth_sec. patch
* debian/patches/ 08_security_ lighttpd- 1.4.x_mod_ access_ bypass. dpatch:
- Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 08.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_mod_ access_ bypass. patch
* debian/patches/ 09_security_ lighttpd- 1.4.x_connectio ns.dpatch:
- Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
- Description: http://secunia. com/cve_ reference/ CVE-2007- 3948/
- Patch: http://trac.lighttpd. net/trac/ changeset/ 1873?format= diff&new= 1873
* debian/patches/ 10_security_ lighttpd- 1.4.x_mod_ scgi_segfault. dpatch
- Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
- Description: http://secunia. com/cve_ reference/ CVE-2007- 3950/
- Patch: http://trac.lighttpd. net/trac/ changeset/ 1882?format= diff&new= 1882
* References:
- Summary: http://www.lighttpd. net/2007/ 7/24/1- 4-16-let- s-ship- it
- External references: http://secunia. com/advisories/ 26130/ - 11. By Scott Kitterman
-
* Added relevant security fix from 1.4.14 (Closes LP: #107628)
- DOS with files with mtime 0 (CVE-2007-1870)
security_zero_mtime_ crash
* Change maintainer to MOTU - 10. By Chuck Short
-
* debian/control
+ Added depends on libterm-readline- perl-perl. (Closes: Malone #43895) - 8. By Sebastian Dröge
-
* Sync with Debian:
+ Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be
re-enabled for dapper+1 - 7. By Sebastian Dröge
-
* Sync with Debian
* UVF exception:
https://launchpad. net/distros/ ubuntu/ +source/ lighttpd/ +bug/35353
* Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be
re-enabled for dapper+1
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/lighttpd