Hello community, here is the log from the commit of package lighttpd for openSUSE:Factory checked in at 2012-06-12 07:09:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lighttpd (Old) and /work/SRC/openSUSE:Factory/.lighttpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lighttpd", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/lighttpd/lighttpd.changes 2012-06-10 21:51:40.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.lighttpd.new/lighttpd.changes 2012-06-12 07:09:20.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Jun 11 11:20:41 UTC 2012 - [email protected] + +- Fix the previous change: + We only need that patch on 12.2 + +------------------------------------------------------------------- Old: ---- lighttpd_1.4.30-0.1.debian.tar.gz lighttpd_1.4.30-0.1.dsc New: ---- lighttpd_1.4.31-1.debian.tar.gz lighttpd_1.4.31-1.dsc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lighttpd.spec ++++++ --- /var/tmp/diff_new_pack.PIdiaW/_old 2012-06-12 07:09:21.000000000 +0200 +++ /var/tmp/diff_new_pack.PIdiaW/_new 2012-06-12 07:09:21.000000000 +0200 @@ -62,7 +62,9 @@ %else BuildRequires: lua-devel %endif +%if 0%{?suse_version} > 1010 %define with_geoip 1 +%endif %else BuildRequires: lua-devel %if 0%{?sles_version} == 9 @@ -100,7 +102,7 @@ Source6: lighttpd-ssl.SuSEfirewall Source7: lighttpd.logrotate # this is just dummy to pass the check for factory and still have one package for deb and rpm -Source99: lighttpd_1.4.30-0.1.debian.tar.gz +Source99: lighttpd_1.4.31-1.debian.tar.gz Patch: lighttpd-1.4.13_geoip.patch Patch1: lighttpd-automake.patch # @@ -288,6 +290,8 @@ %setup %if 0%{?with_geoip} %patch +%endif +%if 0%{?suse_version} > 1210 %patch1 -p1 %endif perl -p -i -e 's| tar-ustar||g' configure.ac ++++++ lighttpd_1.4.30-0.1.debian.tar.gz -> lighttpd_1.4.31-1.debian.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/NEWS new/debian/NEWS --- old/debian/NEWS 2011-05-24 00:02:39.000000000 +0200 +++ new/debian/NEWS 2012-02-27 19:53:39.000000000 +0100 @@ -1,3 +1,25 @@ +lighttpd (1.4.30-1) unstable; urgency=medium + + This releases includes an option to force Lighttpd to honor the cipher order + in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly + referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details. + + To minimze the risk of this attack it is recommended either to disable all CBC + ciphers (beware: this will break reasonably old clients or those who support + CBC ciphers only), or pursue clients to use safe ciphers where possible at + least. To do so, set + + ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" + ssl.honor-cipher-order = "enable" + + in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled + host you configured. If you did not change this file previously, this upgrade + will update it automatically. + + [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html + + -- Arno Töll <[email protected]> Sun, 18 Dec 2011 20:26:50 +0100 + lighttpd (1.4.23-1) unstable; urgency=low spawn-fcgi is now separate package. Please install "spawn-fcgi" package if diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/changelog new/debian/changelog --- old/debian/changelog 2011-12-18 16:54:12.000000000 +0100 +++ new/debian/changelog 2012-06-02 00:15:25.000000000 +0200 @@ -1,9 +1,44 @@ -lighttpd (1.4.30-0.1) unstable; urgency=low +lighttpd (1.4.31-1) unstable; urgency=low - * Non-maintainer upload. * New upstream release + * Be more careful when removing dangling symlinks, as introduced in 1.4.30-1. + Under some configurations the postrm script could fail previously. + * Change the use-ipv6.pl script to read the default listening port as a + command line argument, fall back to the old default behavior otherwise + (Closes: #632723, #642604). Thanks to Sebastian Pipping to accidentally + give a hint how to fix this old problem by driving by. + * Push standards version to 3.9.3.1 - no further changes + * Fix "[lighttpd] "ldap" lowercase in extended description" by fixing the + typo (Closes: #670206) + * Update my maintainer address - -- Stefan Bühler <[email protected]> Sun, 18 Dec 2011 15:54:01 +0000 + -- Arno Töll <[email protected]> Fri, 01 Jun 2012 23:46:05 +0200 + +lighttpd (1.4.30-1) unstable; urgency=medium + + * New upstream release + + Fix integer overflow (CVE-2011-4362) (Closes: #652726) + + Fix attack vector as disclosed by the SSL BEAST attack (related: + CVE-2011-3389). Note: If you are upgrading from an older version you need + to change your configuration to mitigate effects of the attack. See the + corresponding NEWS file for details. + + Count SSL renegotiations to prevent client renegotiations + * Urgency set to medium due to security updates. + * Adapt to dpkg 1.16.1 API changes regarding build flags. This enables + hardening build flags. This means, lighttpd is now being built with + -fstack-protector and other security related build flags. + * Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are + properly supported. That's guaranteed for Testing, but might be helpful to + know for backporters. + * Fix "Doesn't remove /etc/lighttpd on purge" by removing dangling symlinks + /only/. This does not entirely fix the problem of the maintainer, but we can + not simply remove all files in /etc/lighttpd as other packages or the user + himself might have left configuration files back (Closes: #642494) + * Fix "please include systemd service file" Support systemd as alternative to + sysvinit, ship systemd and tempfiles.d configuration files. Thanks to + Michael Stapelberg for providing the required files (Closes: #652442) + + -- Arno Töll <[email protected]> Tue, 20 Dec 2011 11:36:09 +0100 lighttpd (1.4.29-1) unstable; urgency=low diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/conf-available/10-ssl.conf new/debian/conf-available/10-ssl.conf --- old/debian/conf-available/10-ssl.conf 2011-05-24 00:02:39.000000000 +0200 +++ new/debian/conf-available/10-ssl.conf 2012-02-27 19:53:39.000000000 +0100 @@ -3,4 +3,7 @@ $SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/server.pem" + + ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" + ssl.honor-cipher-order = "enable" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/control new/debian/control --- old/debian/control 2011-07-04 17:37:00.000000000 +0200 +++ new/debian/control 2012-04-24 11:27:29.000000000 +0200 @@ -4,21 +4,22 @@ Maintainer: Debian lighttpd maintainers <[email protected]> Uploaders: Krzysztof Krzyżaniak (eloy) <[email protected]>, Olaf van der Spek <[email protected]>, - Arno Töll <[email protected]> + Arno Töll <[email protected]> Homepage: http://lighttpd.net/ Build-Depends: debhelper (>= 8), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, - libxml2-dev, libkrb5-dev, perl + libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~) Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/ -Standards-Version: 3.9.2.0 +Standards-Version: 3.9.3.1 Package: lighttpd Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, - lsb-base (>= 3.2-14), mime-support, libterm-readline-perl-perl + lsb-base (>= 3.2-14) | systemd (>= 29.1), mime-support, + libterm-readline-perl-perl Provides: httpd, httpd-cgi Suggests: openssl, rrdtool, apache2-utils Recommends: spawn-fcgi @@ -29,7 +30,7 @@ * CGI, FastCGI and SSI * virtual hosts * URL rewriting - * authentication (plain files, htpasswd, ldap) + * authentication (plain files, htpasswd, LDAP) * transparent content compression * conditional configuration and configuration is straight-forward and easy. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.conf new/debian/lighttpd.conf --- old/debian/lighttpd.conf 2011-05-24 00:02:39.000000000 +0200 +++ new/debian/lighttpd.conf 2012-03-28 00:57:25.000000000 +0200 @@ -12,6 +12,8 @@ server.pid-file = "/var/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" +server.port = 80 + index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc" ) @@ -20,6 +22,7 @@ compress.cache-dir = "/var/cache/lighttpd/compress/" compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) -include_shell "/usr/share/lighttpd/use-ipv6.pl" +# default listening port for IPv6 falls back to the IPv4 port +include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port include_shell "/usr/share/lighttpd/create-mime.assign.pl" include_shell "/usr/share/lighttpd/include-conf-enabled.pl" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.init new/debian/lighttpd.init --- old/debian/lighttpd.init 2011-05-24 00:02:39.000000000 +0200 +++ new/debian/lighttpd.init 2012-02-27 19:53:39.000000000 +0100 @@ -8,6 +8,9 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start the lighttpd web server. +# Description: Fast and smalle webserver with minimal memory footprint +# developed with security in mind HTTP/1.1 compliant caching +# proxy server. ### END INIT INFO @@ -31,8 +34,11 @@ if [ "$1" != status ]; then # be sure there is a /var/run/lighttpd, even with tmpfs - mkdir --mode 750 --parents /var/run/lighttpd - chown www-data:www-data /var/run/lighttpd + # The directory is defined as volatile and may thus be non-existing + # after a boot (DPM §9.3.2) + if ! dpkg-statoverride --list /var/run/lighttpd >/dev/null 2>&1; then + install -d -o www-data -g www-data -m 0750 "/var/run/lighttpd" + fi fi . /lib/lsb/init-functions diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.install new/debian/lighttpd.install --- old/debian/lighttpd.install 2011-05-24 00:02:39.000000000 +0200 +++ new/debian/lighttpd.install 2012-02-27 19:53:39.000000000 +0100 @@ -34,3 +34,5 @@ debian/use-ipv6.pl /usr/share/lighttpd/ debian/lighty-enable-mod /usr/sbin/ debian/index.html /usr/share/lighttpd/ +debian/lighttpd.service /lib/systemd/system/ +debian/lighttpd.tmpfile.conf /usr/lib/tmpfiles.d/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.postrm new/debian/lighttpd.postrm --- old/debian/lighttpd.postrm 2011-07-04 17:28:23.000000000 +0200 +++ new/debian/lighttpd.postrm 2012-02-27 19:53:39.000000000 +0100 @@ -5,6 +5,18 @@ if [ "$1" = "purge" ]; then rm -rf /var/log/lighttpd /var/run/lighttpd /var/cache/lighttpd + + + if [ -d /etc/lighttpd/conf-enabled/ ] ; then + # The loop below fixes #642494 (mostly) + for link in /etc/lighttpd/conf-enabled/*.conf ; do + target=$(readlink "$link") || true + if [ -n "$target" ] && [ ! -e "/etc/lighttpd/conf-enabled/$target" ] ; then + echo "removing dangling symlink $link ..." + rm -f $link + fi + done + fi fi #DEBHELPER# diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.service new/debian/lighttpd.service --- old/debian/lighttpd.service 1970-01-01 01:00:00.000000000 +0100 +++ new/debian/lighttpd.service 2012-02-27 19:53:39.000000000 +0100 @@ -0,0 +1,10 @@ +[Unit] +Description=Lighttpd Daemon +After=network.target + +[Service] +ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf +ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf + +[Install] +WantedBy=multi-user.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.tmpfile.conf new/debian/lighttpd.tmpfile.conf --- old/debian/lighttpd.tmpfile.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/debian/lighttpd.tmpfile.conf 2012-02-27 19:53:39.000000000 +0100 @@ -0,0 +1 @@ +d /var/run/lighttpd 0750 www-data www-data - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/rules new/debian/rules --- old/debian/rules 2011-07-04 16:11:22.000000000 +0200 +++ new/debian/rules 2012-02-27 19:53:39.000000000 +0100 @@ -19,7 +19,8 @@ --with-openssl \ --with-pcre \ --with-webdav-locks \ - --with-webdav-props + --with-webdav-props \ + $(shell dpkg-buildflags --export=configure) override_dh_fixperms: dh_fixperms diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/use-ipv6.pl new/debian/use-ipv6.pl --- old/debian/use-ipv6.pl 2011-05-24 00:02:39.000000000 +0200 +++ new/debian/use-ipv6.pl 2012-03-28 00:40:41.000000000 +0200 @@ -1,8 +1,12 @@ #! /usr/bin/perl -w use Socket; +use strict; + my $sock; +my $PORT = 80; +$PORT = $ARGV[0] if $ARGV[0] and $ARGV[0] >= 0 and $ARGV[0] <= 65535; if (socket($sock, AF_INET6, SOCK_STREAM, 0)) { - print qq/\$SERVER["socket"] == "[::]:80" { }\n/; + print qq/\$SERVER["socket"] == "[::]:$PORT" { }\n/; } ++++++ lighttpd_1.4.30-0.1.dsc -> lighttpd_1.4.31-1.dsc ++++++ --- /work/SRC/openSUSE:Factory/lighttpd/lighttpd_1.4.30-0.1.dsc 2011-12-25 17:36:43.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.lighttpd.new/lighttpd_1.4.31-1.dsc 2012-06-12 07:09:20.000000000 +0200 @@ -5,14 +5,14 @@ Source: lighttpd Binary: lighttpd, lighttpd-doc, lighttpd-mod-mysql-vhost, lighttpd-mod-trigger-b4-dl, lighttpd-mod-cml, lighttpd-mod-magnet, lighttpd-mod-webdav Architecture: any all -Version: 1.4.30-0.1 +Version: 1.4.31-1 Maintainer: Debian lighttpd maintainers <[email protected]> -Uploaders: Krzysztof Krzyżaniak (eloy) <[email protected]>, Olaf van der Spek <[email protected]>, Arno Töll <[email protected]> +Uploaders: Krzysztof Krzyżaniak (eloy) <[email protected]>, Olaf van der Spek <[email protected]>, Arno Töll <[email protected]> Homepage: http://lighttpd.net/ -Standards-Version: 3.9.2.0 +Standards-Version: 3.9.3.1 Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/ Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk -Build-Depends: debhelper (>= 8), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl +Build-Depends: debhelper (>= 8), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~) Package-List: lighttpd deb httpd optional lighttpd-doc deb doc optional @@ -22,19 +22,29 @@ lighttpd-mod-trigger-b4-dl deb httpd optional lighttpd-mod-webdav deb httpd optional Checksums-Sha1: - 70f88e6059da6e04514cc211dd5064a2413b5406 664697 lighttpd_1.4.30.orig.tar.bz2 - 4555c9947b220764c94338c29609b13bb66af266 24872 lighttpd_1.4.30-0.1.debian.tar.gz + 6b3babc9df173cea5ae4756c2fd6b0e85e015f2a 840123 lighttpd_1.4.31.orig.tar.gz + 80b3a0786bf069868d4b0dc0c5178ddce84ff1a8 26633 lighttpd_1.4.31-1.debian.tar.gz Checksums-Sha256: - 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d 664697 lighttpd_1.4.30.orig.tar.bz2 - c1a74a33df5d5cb21bf3e6ad41c32243b03d96f14b225ae0d27782d17cfa9ea3 24872 lighttpd_1.4.30-0.1.debian.tar.gz + 848a15604bf358d9355bd7a48c01f448c286734dbb5f4dc1cd16acb8b05a9b52 840123 lighttpd_1.4.31.orig.tar.gz + 38a0911ab97b21ef531693760b4ce4c0641d8e560f403c3cebac36863689bcf6 26633 lighttpd_1.4.31-1.debian.tar.gz Files: - 63f9df52dcae0ab5689a95c99c54e48a 664697 lighttpd_1.4.30.orig.tar.bz2 - 4e8d10388896f90521400f6c61adc475 24872 lighttpd_1.4.30-0.1.debian.tar.gz + 7907b7167d639b8a8daab97e223249d5 840123 lighttpd_1.4.31.orig.tar.gz + 20d50979fc2704ff7ead982a1282c4a5 26633 lighttpd_1.4.31-1.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) -iEYEARECAAYFAk7uDMIACgkQgBIc0keWidgYuQCgoI1MGcol6no1oWdjBbdmSrGW -w9wAn2+xehl7qdQOSieIFjYVkBAIYFrD -=rlsD +iQIcBAEBAgAGBQJPyUSFAAoJEMcrUe6dgPNt2fAQAMSEF/ty3BMpIO/BR1+BIg4S +itV89SLjEo8rHsXxrJ2C0rYNAQ8cM+vOgnSCqSovDf5lKuMhIW+BrMClIW+rbu1K +uuYJijRNOhZWq5RjAOU2PmTpxLdKsrZdZczFtY25RwgQyqFnF5zZax5oBHsKPPoc +SE9llwiyivC6X6A8xyHEfeeq+c3vRJ36bQu32pBbs36IsG0j1osRTuGJM/7ASFtL +ejnztef0Da5/PsWutTPQTA1qoUqgjGoQXvahdACZ1m0bWTwV8PS5w7JmtMkVI6lj +PSpuWCOvmjdUaUfB64gt3LpvJ+7b6C24UHbYbuYaaUEg9DceqRkPNCDjgrBkkDfd +6UIb79Gas1fpcuepjr26eOIApL45hfXB4aKWS1I6mHO5bNuJv0cKFpokwWxRkEoz +uRHLlWCUgn+23i16TrzKNkcouPz+LWWI1b/0RIKN80rwfU34cEp4fZTz/HYwdwNi +hTPl6XLVL6AdJDlouATksn3Af2Ubkt0ajQEKwAn0ymsTE0G9+BAwmkBUymebsTKp +Lw9OLGq+eWcChjHtWgF7OwD15CDYagrt65nPYcPbtkWkltPMEJ5qQ7TNrMvzlV5+ +Auzz7VGCr5x530518pN5Kf8qUqKBQuzMMudxSlR6HUecnhYy4QafD/YZinremb2h +wcvzxMRKxRmwfKgK/OCq +=lPv/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
