ubuntu/+source/lighttpd:applied/ubuntu/dapper-updates

Last commit made on 2008-03-11
Get this branch:
git clone -b applied/ubuntu/dapper-updates https://git.launchpad.net/ubuntu/+source/lighttpd
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/dapper-updates
Repository:
lp:ubuntu/+source/lighttpd

Recent commits

92f792d... by Emanuele Gentili on 2008-03-11

Import patches-applied version 1.4.11-3ubuntu3.8 to applied/ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: f90352ff4e044d475d30340dab4ada9669358915
Unapplied parent: 73b28144c05891b077ad9d7f49542f821efcb9b9

New changelog entries:
  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

73b2814... by Emanuele Gentili on 2008-03-11

Import patches-unapplied version 1.4.11-3ubuntu3.8 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: b925f96284189945c1a324deff75153edd7ae223

New changelog entries:
  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

f90352f... by Emanuele Gentili on 2008-03-05

Import patches-applied version 1.4.11-3ubuntu3.7 to applied/ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 2239f8dc3db06f9be5ffff152ec030d4de517865
Unapplied parent: b925f96284189945c1a324deff75153edd7ae223

New changelog entries:
  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

b925f96... by Emanuele Gentili on 2008-03-05

Import patches-unapplied version 1.4.11-3ubuntu3.7 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 3da61c1184d01c3c1c044fac155ae66d0e904952

New changelog entries:
  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

2239f8d... by Emanuele Gentili on 2008-02-25

Import patches-applied version 1.4.11-3ubuntu3.6 to applied/ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 9ce668f5d46b1330a485811048232db55aabed7d
Unapplied parent: 3da61c1184d01c3c1c044fac155ae66d0e904952

New changelog entries:
  * SECURITY UPDATE:
    + debian/patches/90_maxfds_crash_fix.dpatch:
      - added patch from upstream to fix the maxfds issue (LP: #195380)
  * References
    + http://trac.lighttpd.net/trac/ticket/1562

3da61c1... by Emanuele Gentili on 2008-02-25

Import patches-unapplied version 1.4.11-3ubuntu3.6 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: fd613004e5afce6e88f55ef3b136605b8877a409

New changelog entries:
  * SECURITY UPDATE:
    + debian/patches/90_maxfds_crash_fix.dpatch:
      - added patch from upstream to fix the maxfds issue (LP: #195380)
  * References
    + http://trac.lighttpd.net/trac/ticket/1562

9ce668f... by Jamie Strandboge on 2007-09-08

Import patches-applied version 1.4.11-3ubuntu3.5 to applied/ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: 9f84bc06c4d369920bbda98e2a1140aacb362caa
Unapplied parent: fd613004e5afce6e88f55ef3b136605b8877a409

New changelog entries:
  * SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
    (backported from upstream 1.4.17)
  * SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
    possible dereferencing a NULL pointer in buffer.c (both backported from
    upstream 1.4.17)
  * SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
    improper handling of content length in HTTP headers. Patch from upstream
  * References
    https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
    https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
    http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
    CVE-2007-4727

fd61300... by Jamie Strandboge on 2007-09-08

Import patches-unapplied version 1.4.11-3ubuntu3.5 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: caca51372d2c3d986aed320b5508075f19c57646

New changelog entries:
  * SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
    (backported from upstream 1.4.17)
  * SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
    possible dereferencing a NULL pointer in buffer.c (both backported from
    upstream 1.4.17)
  * SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
    improper handling of content length in HTTP headers. Patch from upstream
  * References
    https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
    https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
    http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
    CVE-2007-4727

9f84bc0... by Áron Sisak on 2007-08-08

Import patches-applied version 1.4.11-3ubuntu3.4 to applied/ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: da1682fa8e908a899f055f13c5e425c13d80bd2c
Unapplied parent: caca51372d2c3d986aed320b5508075f19c57646

New changelog entries:
  * SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
    various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
    (LP:#127718)
  * debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch:
    - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
  * debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch:
    - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt,
        http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt,
        http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt,
        http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch
  * debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch:
    - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch
  * debian/patches/09_security_lighttpd-1.4.x_connections.dpatch:
    - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
      - Description: http://secunia.com/cve_reference/CVE-2007-3948/
      - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
  * debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch
    - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
      - Description: http://secunia.com/cve_reference/CVE-2007-3950/
      - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
  * References:
    - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it
    - External references: http://secunia.com/advisories/26130/

caca513... by Áron Sisak on 2007-08-08

Import patches-unapplied version 1.4.11-3ubuntu3.4 to ubuntu/dapper-security

Imported using git-ubuntu import.

Changelog parent: df0a6671a89bcf6f2285ad2e8c022426e362b0de

New changelog entries:
  * SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
    various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
    (LP:#127718)
  * debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch:
    - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
  * debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch:
    - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt,
        http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt,
        http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt,
        http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch
  * debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch:
    - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch
  * debian/patches/09_security_lighttpd-1.4.x_connections.dpatch:
    - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
      - Description: http://secunia.com/cve_reference/CVE-2007-3948/
      - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
  * debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch
    - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
      - Description: http://secunia.com/cve_reference/CVE-2007-3950/
      - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
  * References:
    - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it
    - External references: http://secunia.com/advisories/26130/