lp:ubuntu/edgy-updates/lighttpd
- Get this branch:
- bzr branch lp:ubuntu/edgy-updates/lighttpd
Branch merges
Branch information
Recent revisions
- 20. By Emanuele Gentili
-
* SECURITY UPDATE: (LP: #209627)
+ debian/patches/ 91_CVE- 2008-1531. dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
of service (active SSL connection loss) by triggering an SSL error,
such as disconnecting before a download has finished, which causes
all active SSL connections to be lost.
* References
+ http://nvd.nist. gov/nvd. cfm?cvename= CVE-2008- 1531
+ http://trac.lighttpd. net/trac/ changeset/ 2136
+ http://trac.lighttpd. net/trac/ changeset/ 2139 - 19. By Emanuele Gentili
-
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/ 91_CVE- 2008-1270. dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist. gov/nvd. cfm?cvename= CVE-2008- 1270
+ http://trac.lighttpd. net/trac/ ticket/ 1587
+ http://trac.lighttpd. net/trac/ changeset/ 2120 - 18. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ 91_CVE- 2008-1111. dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd. net/trac/ changeset/ 2107
+ http://www.cve. mitre.org/ cgi-bin/ cvename. cgi?name= 2008-1111 - 17. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ 90_maxfds_ crash_fix. dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd. net/trac/ ticket/ 1562 - 16. By Jamie Strandboge
-
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad .net/ubuntu/ +source/ lighttpd/ +bug/138309
https://bugs.launchpad .net/ubuntu/ +source/ lighttpd/ +bug/138310
http://www.lighttpd. net/assets/ 2007/9/ 9/lighttpd_ sa_2007_ 12.txt
CVE-2007-4727 - 15. By Áron Sisak
-
* SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
(LP:#127718)
* debian/patches/ 06_security_ lighttpd- 1.4.x_duplicate d_headers_ with_folding_ crash.dpatch:
- Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 03.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_duplicate d_headers_ with_folding_ crash.patch
* debian/patches/ 07_security_ lighttpd- 1.4.x_mod_ auth_sec. dpatch:
- Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 04.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 05.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 06.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 07.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_mod_ auth_sec. patch
* debian/patches/ 08_security_ lighttpd- 1.4.x_mod_ access_ bypass. dpatch:
- Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 08.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_mod_ access_ bypass. patch
* debian/patches/ 09_security_ lighttpd- 1.4.x_connectio ns.dpatch:
- Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
- Description: http://secunia. com/cve_ reference/ CVE-2007- 3948/
- Patch: http://trac.lighttpd. net/trac/ changeset/ 1873?format= diff&new= 1873
* debian/patches/ 10_security_ lighttpd- 1.4.x_mod_ scgi_segfault. dpatch
- Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
- Description: http://secunia. com/cve_ reference/ CVE-2007- 3950/
- Patch: http://trac.lighttpd. net/trac/ changeset/ 1882?format= diff&new= 1882
* References:
- Summary: http://www.lighttpd. net/2007/ 7/24/1- 4-16-let- s-ship- it
- External references: http://secunia. com/advisories/ 26130/ - 14. By Scott Kitterman
-
* Added security fixes from 1.4.14 (Closes LP: #107628)
- Remote DOS in CRLF parsing (CVE-2007-1869)
debian/patches/ 04_security_ crlf_parsing_ dos.dpatch
- DOS with files with mtime 0 (CVE-2007-1870)
debian/patches/ 05_security_ zero_mtime_ crash.dpatch
* Change maintainer to MOTU - 13. By Lukas Fittl <email address hidden>
-
* Merge from Debian unstable (Closes: Malone #64900). Remaining changes:
- Add an additional dependency on libterm-readline- perl-perl
(Malone #43895) - 12. By Jérémie Corbier
-
Merge from debian unstable:
-> Keep the additional dependency on libterm-readline- perl-perl. - 11. By Jérémie Corbier
-
* Merge from debian unstable:
-> Restore B-D on libmemcache-dev.
-> Keep the additional dependency on libterm-readline- perl-perl.
* debian/patches:
-> Add 02_mod_ssl_post_ fix.dpatch: fix a stall with POST requests between
8317 and 16381 bytes long when mod_ssl is enabled.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/lighttpd