-
f17bb00...
by
Emanuele Gentili
on 2008-04-06
-
Import patches-applied version 1.4.13-9ubuntu4.6 to applied/ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: d0ed48ec3a5919d7c6cba9c3d2093ec8958ce53b
Unapplied parent: 26afdfe5abe4757acbf140db3b616362b106c74e
New changelog entries:
* SECURITY UPDATE: (LP: #209627)
+ debian/patches/91_CVE-2008-1531.dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
of service (active SSL connection loss) by triggering an SSL error,
such as disconnecting before a download has finished, which causes
all active SSL connections to be lost.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
+ http://trac.lighttpd.net/trac/changeset/2136
+ http://trac.lighttpd.net/trac/changeset/2139
-
26afdfe...
by
Emanuele Gentili
on 2008-04-06
-
Import patches-unapplied version 1.4.13-9ubuntu4.6 to ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: c022ef5795b6ef541bf6478f84024f86d464309b
New changelog entries:
* SECURITY UPDATE: (LP: #209627)
+ debian/patches/91_CVE-2008-1531.dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
of service (active SSL connection loss) by triggering an SSL error,
such as disconnecting before a download has finished, which causes
all active SSL connections to be lost.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
+ http://trac.lighttpd.net/trac/changeset/2136
+ http://trac.lighttpd.net/trac/changeset/2139
-
d0ed48e...
by
Emanuele Gentili
on 2008-03-11
-
Import patches-applied version 1.4.13-9ubuntu4.5 to applied/ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: ca88dfd7a5e58e0d5ee74542107326a6deb6b803
Unapplied parent: c022ef5795b6ef541bf6478f84024f86d464309b
New changelog entries:
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/91_CVE-2008-1270.dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
+ http://trac.lighttpd.net/trac/ticket/1587
+ http://trac.lighttpd.net/trac/changeset/2120
-
c022ef5...
by
Emanuele Gentili
on 2008-03-11
-
Import patches-unapplied version 1.4.13-9ubuntu4.5 to ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: bdd8e3e0a7f04f379283ab6997a99edcc056dabc
New changelog entries:
* SECURITY UPDATE: (LP: #200987)
+ debian/patches/91_CVE-2008-1270.dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
uses a default of $HOME, which might allow remote attackers to read arbitrary
files, as demonstrated by accessing the ~nobody directory.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
+ http://trac.lighttpd.net/trac/ticket/1587
+ http://trac.lighttpd.net/trac/changeset/2120
-
ca88dfd...
by
Emanuele Gentili
on 2008-03-05
-
Import patches-applied version 1.4.13-9ubuntu4.4 to applied/ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: 35894bb49432348416dbb5a680c4eb410b2fce23
Unapplied parent: bdd8e3e0a7f04f379283ab6997a99edcc056dabc
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/91_CVE-2008-1111.dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd.net/trac/changeset/2107
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111
-
bdd8e3e...
by
Emanuele Gentili
on 2008-03-05
-
Import patches-unapplied version 1.4.13-9ubuntu4.4 to ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: 197815c8ff4df599c47faa8a7247571d9864ae22
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/91_CVE-2008-1111.dpatch:
- Fixes CVE-2008-1111
"mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
source code of CGI scripts instead of a 500 error, which might allow
remote attackers to obtain sensitive information." (LP: #198731)
* References
+ http://trac.lighttpd.net/trac/changeset/2107
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111
-
35894bb...
by
Emanuele Gentili
on 2008-02-25
-
Import patches-applied version 1.4.13-9ubuntu4.3 to applied/ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: aacb89b7d59eb75f974ef4cc11d9e8e2ca9459e4
Unapplied parent: 197815c8ff4df599c47faa8a7247571d9864ae22
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/90_maxfds_crash_fix.dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd.net/trac/ticket/1562
-
197815c...
by
Emanuele Gentili
on 2008-02-25
-
Import patches-unapplied version 1.4.13-9ubuntu4.3 to ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: 56402d93851f3d69b72ca471919ce1b27df6192f
New changelog entries:
* SECURITY UPDATE:
+ debian/patches/90_maxfds_crash_fix.dpatch:
- added patch from upstream to fix the maxfds issue (LP: #195380)
* References
+ http://trac.lighttpd.net/trac/ticket/1562
-
aacb89b...
by
Jamie Strandboge
on 2007-09-10
-
Import patches-applied version 1.4.13-9ubuntu4.2 to applied/ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: 5d521bb3c95ed21858660227583e07e33d86dc7e
Unapplied parent: 56402d93851f3d69b72ca471919ce1b27df6192f
New changelog entries:
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
CVE-2007-4727
-
56402d9...
by
Jamie Strandboge
on 2007-09-10
-
Import patches-unapplied version 1.4.13-9ubuntu4.2 to ubuntu/feisty-security
Imported using git-ubuntu import.
Changelog parent: 13687668e5c93150b33fb2d54529ddaa003173ec
New changelog entries:
* SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
(backported from upstream 1.4.17)
* SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
possible dereferencing a NULL pointer in buffer.c (both backported from
upstream 1.4.17)
* SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
improper handling of content length in HTTP headers. Patch from upstream
* References
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310
http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
CVE-2007-4727