-
7b4ae17...
by
Emanuele Gentili
on 2008-04-07
-
Import patches-applied version 1.4.13~r1370-1ubuntu1.7 to applied/ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 668933803178ffc56a672c2dd787e06693b657af
Unapplied parent: 65e897b19f2abb6a6c3586cc5164efff9eb13483
New changelog entries:
* SECURITY UPDATE: (LP: #209627)
+ debian/patches/91_CVE-2008-1531.dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
of service (active SSL connection loss) by triggering an SSL error,
such as disconnecting before a download has finished, which causes
all active SSL connections to be lost.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
+ http://trac.lighttpd.net/trac/changeset/2136
+ http://trac.lighttpd.net/trac/changeset/2139
-
65e897b...
by
Emanuele Gentili
on 2008-04-07
-
Import patches-unapplied version 1.4.13~r1370-1ubuntu1.7 to ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 911d4fd0059c2ad659b96aec7d768aa94f3efc56
New changelog entries:
* SECURITY UPDATE: (LP: #209627)
+ debian/patches/91_CVE-2008-1531.dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
of service (active SSL connection loss) by triggering an SSL error,
such as disconnecting before a download has finished, which causes
all active SSL connections to be lost.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
+ http://trac.lighttpd.net/trac/changeset/2136
+ http://trac.lighttpd.net/trac/changeset/2139
-
6689338...
by
Emanuele Gentili
on 2008-03-11
-
Import patches-applied version 1.4.13~r1370-1ubuntu1.6 to applied/ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 0a06d163bad888140d6652c73bc2a21d5149f871
Unapplied parent: 911d4fd0059c2ad659b96aec7d768aa94f3efc56
New changelog entries:
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/91_CVE-2008-1270.dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
+ http://trac.lighttpd.net/trac/ticket/1587
+ http://trac.lighttpd.net/trac/changeset/2120
-
911d4fd...
by
Emanuele Gentili
on 2008-03-11
-
Import patches-unapplied version 1.4.13~r1370-1ubuntu1.6 to ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 09fae650b37f593f0fb41697f9cdba457283c4c3
New changelog entries:
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/91_CVE-2008-1270.dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
+ http://trac.lighttpd.net/trac/ticket/1587
+ http://trac.lighttpd.net/trac/changeset/2120
-
0a06d16...
by
Emanuele Gentili
on 2008-03-05
-
Import patches-applied version 1.4.13~r1370-1ubuntu1.5 to applied/ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 7dbf54a5a525d964c00db5ea96944c0cbc117137
Unapplied parent: 09fae650b37f593f0fb41697f9cdba457283c4c3
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/91_CVE-2008-1111.dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd.net/trac/changeset/2107
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111
-
09fae65...
by
Emanuele Gentili
on 2008-03-05
-
Import patches-unapplied version 1.4.13~r1370-1ubuntu1.5 to ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: c3fefbafedf636ff6f658b1c08862ddca451b137
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/91_CVE-2008-1111.dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd.net/trac/changeset/2107
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111
-
7dbf54a...
by
Emanuele Gentili
on 2008-02-25
-
Import patches-applied version 1.4.13~r1370-1ubuntu1.4 to applied/ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 416bb70023b9389fbfb6fd81694f4f46433f21a8
Unapplied parent: c3fefbafedf636ff6f658b1c08862ddca451b137
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/90_maxfds_crash_fix.dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd.net/trac/ticket/1562
-
c3fefba...
by
Emanuele Gentili
on 2008-02-25
-
Import patches-unapplied version 1.4.13~r1370-1ubuntu1.4 to ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 7b3ea9a1cd6189b267c06565f52c0a1eca7a01d9
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/90_maxfds_crash_fix.dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd.net/trac/ticket/1562
-
416bb70...
by
Jamie Strandboge
on 2007-09-10
-
Import patches-applied version 1.4.13~r1370-1ubuntu1.3 to applied/ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: ea8c6266e2c12d890a6c7d1a64b54777f22a6998
Unapplied parent: 7b3ea9a1cd6189b267c06565f52c0a1eca7a01d9
New changelog entries:
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
CVE-2007-4727
-
7b3ea9a...
by
Jamie Strandboge
on 2007-09-10
-
Import patches-unapplied version 1.4.13~r1370-1ubuntu1.3 to ubuntu/edgy-security
Imported using git-ubuntu import.
Changelog parent: 6e24f09948d9c5e2c071bee637c7a0e494f62cd3
New changelog entries:
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
CVE-2007-4727