Created by James Westby on 2009-08-15 and last modified on 2009-08-15
Get this branch:
bzr branch lp:ubuntu/edgy-security/lighttpd
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

20. By Emanuele Gentili on 2008-04-07

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

19. By Emanuele Gentili on 2008-03-11

* SECURITY UPDATE: (LP: #200987)
 + debian/patches/91_CVE-2008-1270.dpatch
  - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
    uses a default of $HOME, which might allow remote attackers to read arbitrary
    files, as demonstrated by accessing the ~nobody directory.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
 + http://trac.lighttpd.net/trac/ticket/1587
 + http://trac.lighttpd.net/trac/changeset/2120

18. By Emanuele Gentili on 2008-03-05

 + debian/patches/91_CVE-2008-1111.dpatch:
  - Fixes CVE-2008-1111
    "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
    source code of CGI scripts instead of a 500 error, which might allow
    remote attackers to obtain sensitive information." (LP: #198731)
* References
 + http://trac.lighttpd.net/trac/changeset/2107
 + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

17. By Emanuele Gentili on 2008-02-25

  + debian/patches/90_maxfds_crash_fix.dpatch:
    - added patch from upstream to fix the maxfds issue (LP: #195380)
* References
  + http://trac.lighttpd.net/trac/ticket/1562

16. By Jamie Strandboge on 2007-09-10

* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
  (backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
  possible dereferencing a NULL pointer in buffer.c (both backported from
  upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
  improper handling of content length in HTTP headers. Patch from upstream
* References

15. By Áron Sisak on 2007-08-08

* SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
  various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
* debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch:
  - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
* debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch:
  - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt,
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch
* debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch:
  - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch
* debian/patches/09_security_lighttpd-1.4.x_connections.dpatch:
  - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
    - Description: http://secunia.com/cve_reference/CVE-2007-3948/
    - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
* debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch
  - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
    - Description: http://secunia.com/cve_reference/CVE-2007-3950/
    - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
* References:
  - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it
  - External references: http://secunia.com/advisories/26130/

14. By Scott Kitterman on 2007-04-23

* Added security fixes from 1.4.14 (Closes LP: #107628)
  - Remote DOS in CRLF parsing (CVE-2007-1869)
  - DOS with files with mtime 0 (CVE-2007-1870)
* Change maintainer to MOTU

13. By Lukas Fittl <email address hidden> on 2006-10-10

* Merge from Debian unstable (Closes: Malone #64900). Remaining changes:
  - Add an additional dependency on libterm-readline-perl-perl
    (Malone #43895)

12. By Jérémie Corbier on 2006-09-22

Merge from debian unstable:
-> Keep the additional dependency on libterm-readline-perl-perl.

11. By Jérémie Corbier on 2006-08-17

* Merge from debian unstable:
  -> Restore B-D on libmemcache-dev.
  -> Keep the additional dependency on libterm-readline-perl-perl.
* debian/patches:
  -> Add 02_mod_ssl_post_fix.dpatch: fix a stall with POST requests between
     8317 and 16381 bytes long when mod_ssl is enabled.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.