lp:ubuntu/edgy-updates/lighttpd

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

20. By Emanuele Gentili on 2008-04-07

* SECURITY UPDATE: (LP: #209627)
 + debian/patches/91_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
 + http://trac.lighttpd.net/trac/changeset/2136
 + http://trac.lighttpd.net/trac/changeset/2139

19. By Emanuele Gentili on 2008-03-11

* SECURITY UPDATE: (LP: #200987)
 + debian/patches/91_CVE-2008-1270.dpatch
  - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
    uses a default of $HOME, which might allow remote attackers to read arbitrary
    files, as demonstrated by accessing the ~nobody directory.
* References
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
 + http://trac.lighttpd.net/trac/ticket/1587
 + http://trac.lighttpd.net/trac/changeset/2120

18. By Emanuele Gentili on 2008-03-05

* SECURITY UPDATE:
 + debian/patches/91_CVE-2008-1111.dpatch:
  - Fixes CVE-2008-1111
    "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
    source code of CGI scripts instead of a 500 error, which might allow
    remote attackers to obtain sensitive information." (LP: #198731)
* References
 + http://trac.lighttpd.net/trac/changeset/2107
 + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

17. By Emanuele Gentili on 2008-02-25

* SECURITY UPDATE:
  + debian/patches/90_maxfds_crash_fix.dpatch:
    - added patch from upstream to fix the maxfds issue (LP: #195380)
* References
  + http://trac.lighttpd.net/trac/ticket/1562

16. By Jamie Strandboge on 2007-09-10

* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
  (backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
  possible dereferencing a NULL pointer in buffer.c (both backported from
  upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
  improper handling of content length in HTTP headers. Patch from upstream
* References
  https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
  https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
  http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
  CVE-2007-4727

15. By Áron Sisak on 2007-08-08

* SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
  various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
  (LP:#127718)
* debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch:
  - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
* debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch:
  - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt,
      http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt,
      http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt,
      http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch
* debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch:
  - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
    - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
    - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch
* debian/patches/09_security_lighttpd-1.4.x_connections.dpatch:
  - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
    - Description: http://secunia.com/cve_reference/CVE-2007-3948/
    - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
* debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch
  - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
    - Description: http://secunia.com/cve_reference/CVE-2007-3950/
    - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
* References:
  - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it
  - External references: http://secunia.com/advisories/26130/

14. By Scott Kitterman on 2007-04-23

* Added security fixes from 1.4.14 (Closes LP: #107628)
  - Remote DOS in CRLF parsing (CVE-2007-1869)
     debian/patches/04_security_crlf_parsing_dos.dpatch
  - DOS with files with mtime 0 (CVE-2007-1870)
     debian/patches/05_security_zero_mtime_crash.dpatch
* Change maintainer to MOTU

13. By Lukas Fittl <email address hidden> on 2006-10-10

* Merge from Debian unstable (Closes: Malone #64900). Remaining changes:
  - Add an additional dependency on libterm-readline-perl-perl
    (Malone #43895)

12. By Jérémie Corbier on 2006-09-22

Merge from debian unstable:
-> Keep the additional dependency on libterm-readline-perl-perl.

11. By Jérémie Corbier on 2006-08-17

* Merge from debian unstable:
  -> Restore B-D on libmemcache-dev.
  -> Keep the additional dependency on libterm-readline-perl-perl.
* debian/patches:
  -> Add 02_mod_ssl_post_fix.dpatch: fix a stall with POST requests between
     8317 and 16381 bytes long when mod_ssl is enabled.