Last commit made on 2008-04-17
Get this branch:
git clone -b ubuntu/edgy-security https://git.launchpad.net/ubuntu/+source/lighttpd
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

65e897b... by Emanuele Gentili on 2008-04-07

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.7 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: 911d4fd0059c2ad659b96aec7d768aa94f3efc56

New changelog entries:
  * SECURITY UPDATE: (LP: #209627)
   + debian/patches/91_CVE-2008-1531.dpatch
    - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
      of service (active SSL connection loss) by triggering an SSL error,
      such as disconnecting before a download has finished, which causes
      all active SSL connections to be lost.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
   + http://trac.lighttpd.net/trac/changeset/2136
   + http://trac.lighttpd.net/trac/changeset/2139

911d4fd... by Emanuele Gentili on 2008-03-11

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.6 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: 09fae650b37f593f0fb41697f9cdba457283c4c3

New changelog entries:
  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

09fae65... by Emanuele Gentili on 2008-03-05

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.5 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: c3fefbafedf636ff6f658b1c08862ddca451b137

New changelog entries:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

c3fefba... by Emanuele Gentili on 2008-02-25

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.4 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: 7b3ea9a1cd6189b267c06565f52c0a1eca7a01d9

New changelog entries:
    + debian/patches/90_maxfds_crash_fix.dpatch:
      - added patch from upstream to fix the maxfds issue (LP: #195380)
  * References
    + http://trac.lighttpd.net/trac/ticket/1562

7b3ea9a... by Jamie Strandboge on 2007-09-10

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.3 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: 6e24f09948d9c5e2c071bee637c7a0e494f62cd3

New changelog entries:
  * SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c
    (backported from upstream 1.4.17)
  * SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes
    possible dereferencing a NULL pointer in buffer.c (both backported from
    upstream 1.4.17)
  * SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to
    improper handling of content length in HTTP headers. Patch from upstream
  * References

6e24f09... by Áron Sisak on 2007-08-08

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.2 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: f1caf44fd2d51963bc5e867c736b106770e9d004

New changelog entries:
  * SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping,
    various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug
  * debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch:
    - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
  * debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch:
    - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt,
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch
  * debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch:
    - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949)
      - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt
      - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch
  * debian/patches/09_security_lighttpd-1.4.x_connections.dpatch:
    - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948)
      - Description: http://secunia.com/cve_reference/CVE-2007-3948/
      - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
  * debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch
    - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950)
      - Description: http://secunia.com/cve_reference/CVE-2007-3950/
      - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
  * References:
    - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it
    - External references: http://secunia.com/advisories/26130/

f1caf44... by Scott Kitterman on 2007-04-23

Import patches-unapplied version 1.4.13~r1370-1ubuntu1.1 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: ac9d9d05a580639e973b392263d10d9fbb4d9337

New changelog entries:
  * Added security fixes from 1.4.14 (Closes LP: #107628)
    - Remote DOS in CRLF parsing (CVE-2007-1869)
    - DOS with files with mtime 0 (CVE-2007-1870)
  * Change maintainer to MOTU

ac9d9d0... by Lukas Fittl <email address hidden> on 2006-10-10

Import patches-unapplied version 1.4.13~r1370-1ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 476df775a9df4a1faffdd3daded711d32d1a152c

New changelog entries:
  * Merge from Debian unstable (Closes: Malone #64900). Remaining changes:
    - Add an additional dependency on libterm-readline-perl-perl
      (Malone #43895)
  * New upstream release (closes: #390877) (closes: #389911)
  * Compiled with --with-attr param (closes: #389712)
  * dropped 01-lua5.1.dpatch, issue fixed by upstream
  * New upstream release
  * fixes in debian/lighttpd.install (closes: #377802)
  * mod_cml is deprecated from now on and it will be removed in 1.5.0
    mod_magnet provides the same functionality and more with a
    cleaner syntax and in a more generic form
  * added separate module for mod_magnet (closes: #389578)
  * changed dependency from lua-5.0 to lua-5.1
  * added patch patches/01-lua5.1.dpatch
  * added pkg-config to Build-Depends

476df77... by Jérémie Corbier on 2006-09-23

Import patches-unapplied version 1.4.12~20060907-1ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: e86daddbaa70030d478b6a73b8c63071f758045e

New changelog entries:
  * Merge from debian unstable:
    -> Keep the additional dependency on libterm-readline-perl-perl.
  * New upstream release
  * Removed debian/patches/01_use_bin_sh.dpatch - fixed in upstream
  * New upstream release
  * Removed debian/patches/02_ssl_fix.dpatch - it's now fixed in upstream
  * debian/lighttpd.dirs:
   + usr/lib/cgi-bin added
  * debian/conf-available/10-cgi.conf
   + proper configuration for localhost as well (again Bug#345554)
  * debian/lighttpd.conf:
   + server.bind commented out as in default configuration (closes: #380267)
  * debian/patches/02_ssl_fix.dpatch - added fix for ssl connection with POST
    request (http://trac.lighttpd.net/trac/ticket/607), thanks to
    RISKO Gergely <email address hidden> (closes: #381455)
  * debian/lighttpd.logrotate - some values changes (now rotate weekly
    and keep 12 logfiles)

e86dadd... by Jérémie Corbier on 2006-08-17

Import patches-unapplied version 1.4.11-7ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 8170947f5134af5ecfea7d588c0df73fcab2adab

New changelog entries:
  * Merge from debian unstable:
    -> Restore B-D on libmemcache-dev.
    -> Keep the additional dependency on libterm-readline-perl-perl.
  * debian/patches:
    -> Add 02_mod_ssl_post_fix.dpatch: fix a stall with POST requests between
       8317 and 16381 bytes long when mod_ssl is enabled.
  * debian/create-mime.assign.pl - catchup error when /etc/mime.types is not
    readable (closes: #375347)
  * debian/control:
   - Recommends: Changed to alternative: php4-cgi | php5-cgi (closes: #368215)
  * include-conf-enabled.pl script changed according to patch from
    Tobias Gruetzmacher <email address hidden> (closes: #368352)
  * debian/lighttpd.conf: removed global for local aliases (/images/, /doc/)
    (closes: #366801)
  * debian/init.d:
   - --oknodo added to section "stop" to close finally #35979
   - --retry 30 added to section "reload", to prevents problems with
     logrotating (closes: #366366)
  * debian/control:
   Standards-Version: increased to 3.7.2 without additional changes
  [ Krzysztof Krzyzaniak (eloy) ]
  * debian/init.d:
   - "exit 1" after failed actions removed (closes: #359792)
  * debian/conf-available/10-fastcgi.conf updated (closes: #362827)
    thanks to Joerg Rieger <a.mailinglists#lumrix.net>
  [ Torsten Marek ]
  * Change my email address to <email address hidden>
  * Remove --background from the start action, since it
    breaks the error checking of start-stop-daemon.
    The behaviour described in #355865 is not reproducable
    any more.
  * make reload action in initscript more well-behaved