lp:ubuntu/feisty-updates/lighttpd
- Get this branch:
- bzr branch lp:ubuntu/feisty-updates/lighttpd
Branch merges
Branch information
Recent revisions
- 27. By Emanuele Gentili
-
* SECURITY UPDATE: (LP: #209627)
+ debian/patches/ 91_CVE- 2008-1531. dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
of service (active SSL connection loss) by triggering an SSL error,
such as disconnecting before a download has finished, which causes
all active SSL connections to be lost.
* References
+ http://nvd.nist. gov/nvd. cfm?cvename= CVE-2008- 1531
+ http://trac.lighttpd. net/trac/ changeset/ 2136
+ http://trac.lighttpd. net/trac/ changeset/ 2139 - 26. By Emanuele Gentili
-
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/ 91_CVE- 2008-1270. dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist. gov/nvd. cfm?cvename= CVE-2008- 1270
+ http://trac.lighttpd. net/trac/ ticket/ 1587
+ http://trac.lighttpd. net/trac/ changeset/ 2120 - 25. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ 91_CVE- 2008-1111. dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd. net/trac/ changeset/ 2107
+ http://www.cve. mitre.org/ cgi-bin/ cvename. cgi?name= 2008-1111 - 24. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ 90_maxfds_ crash_fix. dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd. net/trac/ ticket/ 1562 - 23. By Jamie Strandboge
-
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad .net/ubuntu/ +source/ lighttpd/ +bug/138309
https://bugs.launchpad .net/ubuntu/ +source/ lighttpd/ +bug/138310
http://www.lighttpd. net/assets/ 2007/9/ 9/lighttpd_ sa_2007_ 12.txt
CVE-2007-4727 - 22. By Áron Sisak
-
* SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
(LP:#127718)
* debian/patches/ 06_security_ lighttpd- 1.4.x_duplicate d_headers_ with_folding_ crash.dpatch:
- Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 03.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_duplicate d_headers_ with_folding_ crash.patch
* debian/patches/ 07_security_ lighttpd- 1.4.x_mod_ auth_sec. dpatch:
- Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 04.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 05.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 06.txt,
http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 07.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_mod_ auth_sec. patch
* debian/patches/ 08_security_ lighttpd- 1.4.x_mod_ access_ bypass. dpatch:
- Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
- Description: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd_ sa2007_ 08.txt
- Patch: http://www.lighttpd. net/assets/ 2007/7/ 24/lighttpd- 1.4.x_mod_ access_ bypass. patch
* debian/patches/ 09_security_ lighttpd- 1.4.x_connectio ns.dpatch:
- Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
- Description: http://secunia. com/cve_ reference/ CVE-2007- 3948/
- Patch: http://trac.lighttpd. net/trac/ changeset/ 1873?format= diff&new= 1873
* debian/patches/ 10_security_ lighttpd- 1.4.x_mod_ scgi_segfault. dpatch
- Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
- Description: http://secunia. com/cve_ reference/ CVE-2007- 3950/
- Patch: http://trac.lighttpd. net/trac/ changeset/ 1882?format= diff&new= 1882
* References:
- Summary: http://www.lighttpd. net/2007/ 7/24/1- 4-16-let- s-ship- it
- External references: http://secunia. com/advisories/ 26130/ - 21. By Lukas Fittl
-
* Added LDAP connection leak fix from Debian (Bug: #413917)
- debian/patches/ 03_ldap_ leak_bugfix. dpatch
* Added security fixes from 1.4.14 (Closes LP: #106416)
- Remote DOS in CRLF parsing (CVE-2007-1869)
debian/patches/ 04_security_ crlf_parsing_ dos.dpatch
- DOS with files with mtime 0 (CVE-2007-1870)
debian/patches/ 05_security_ zero_mtime_ crash.dpatch - 18. By Adrien Cunin
-
* Merge from Debian unstable. Remaining Ubuntu changes:
- Clean environment in init.d script
- Replace Depends: on perl with Depends: on libterm-readline- perl-perl
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/lighttpd