Hello community, here is the log from the commit of package lighttpd for openSUSE:Factory checked in at 2013-10-06 14:29:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lighttpd (Old) and /work/SRC/openSUSE:Factory/.lighttpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lighttpd" Changes: -------- --- /work/SRC/openSUSE:Factory/lighttpd/lighttpd.changes 2013-06-28 17:46:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.lighttpd.new/lighttpd.changes 2013-10-06 14:29:01.000000000 +0200 @@ -1,0 +2,35 @@ +Fri Sep 27 14:46:14 UTC 2013 - [email protected] + +- update to 1.4.33: + - mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex) + - fix handling of If-Modified-Since if If-None-Match is present (don't return 412 for date parsing errors); + follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags. + - [mod_fastcgi,log] support multi line logging (fixes #2252) + - call ERR_clear_error only for ssl connections in CON_STATE_ERROR + - reject non ASCII characters in HTTP header names + - [mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes #2483) + - [mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn't use any salt, md5 with salt is probably better. + - [mod_auth] fix base64_decode (#2484) + - fix some bugs found with canalyze (fixes #2484, thx Zhenbo Xu) + - fix undefined stuff found with clang + - [cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add -Wl,--as-needed to extra warnings (fixes #2448) + - [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478) + - [auto* build] simplify autogen.sh, handle automake 1.13 test running (fixes #2490) + - [mod_userdir] add userdir.active option, "enabled" by default + - [core] return 501 Not Implemented in static file mode for all methods except GET/POST/HEAD/OPTIONS + - [core] recognize more http methods to forward to backends (fixes #2346) + - [ssl] use DH only if openssl supports it (fixes #2479) + - [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470) + - [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501) + - [ssl] accept ssl renegotiations if they are not disabled (fixes #2491) + - [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492) + - [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495) + - [auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436) + - [core] remove requirement that default doc-root has to exist, there are reasonable scenarios not requiring static files at all + - [core] check whether server.chroot exists + - [mod_simple_vhost] fix cache; skip module if simple-vhost.server-root is empty (thx rm for reporting) + - [mod_accesslog] add accesslog.syslog-level option (fixes #2480) + - [core] allow files to be used as document-root (fixes #2475) + - [core] set signal handlers before forking child processes in modules/plugins_call_set_defaults (fixes #2502) + +------------------------------------------------------------------- Old: ---- lighttpd_1.4.31-1.debian.tar.gz lighttpd_1.4.32-0.1.debian.tar.gz lighttpd_1.4.32-0.1.dsc lighttpd_1.4.32.orig.tar.gz New: ---- lighttpd_1.4.33-0.1.debian.tar.gz lighttpd_1.4.33-0.1.dsc lighttpd_1.4.33.orig.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lighttpd.spec ++++++ --- /var/tmp/diff_new_pack.pUw1Fd/_old 2013-10-06 14:29:02.000000000 +0200 +++ /var/tmp/diff_new_pack.pUw1Fd/_new 2013-10-06 14:29:02.000000000 +0200 @@ -17,11 +17,13 @@ Name: lighttpd -Version: 1.4.32 +Version: 1.4.33 Release: 0 # %define pkg_name lighttpd %define pkg_user lighttpd +%define pkg_version 1.4.33 +%define deb_version 1.4.33 %define pkg_home /var/lib/%{pkg_name} # BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -40,6 +42,8 @@ BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: zlib-devel +# extract upstream tar.xz: +BuildRequires: xz # %define with_tests 1 %define with_enh_webdav 1 @@ -94,7 +98,7 @@ # Url: http://www.lighttpd.net/ # Source: http://www.lighttpd.net/download/%{pkg_name}-%{version}.tar.bz2 -Source: lighttpd_%{version}.orig.tar.gz +Source: lighttpd_%{deb_version}.orig.tar.xz Source1: %{pkg_name}.init Source2: %{pkg_name}.sysconfig Source4: lightytest.sh @@ -102,7 +106,7 @@ Source6: lighttpd-ssl.SuSEfirewall Source7: lighttpd.logrotate # this is just dummy to pass the check for factory and still have one package for deb and rpm -Source99: lighttpd_1.4.32-0.1.debian.tar.gz +Source99: lighttpd_1.4.33-0.1.debian.tar.gz Patch: lighttpd-1.4.13_geoip.patch Patch1: lighttpd-automake.patch # workaround -- disable parallel tests, broken with gcc 4.8 @@ -291,7 +295,7 @@ Jan Kneschke <[email protected]> %prep -%setup +%setup -n %{pkg_name}-%{pkg_version} %if 0%{?with_geoip} %patch %if 0%{?suse_version} > 1210 ++++++ lighttpd_1.4.32-0.1.debian.tar.gz -> lighttpd_1.4.33-0.1.debian.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/NEWS new/debian/NEWS --- old/debian/NEWS 2012-11-21 09:21:26.000000000 +0100 +++ new/debian/NEWS 2013-09-27 16:41:10.000000000 +0200 @@ -1,3 +1,21 @@ +lighttpd (1.4.31-4) unstable; urgency=high + + The default Debian configuration file for PHP invoked from FastCGI was + vulnerable to local symlink attacks and race conditions when an attacker + manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3) + before the web server started. Possibly the web server could have been + tricked to use a forged PHP. + + The problem lies in the configuration, thus this update will fix the problem + only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf + If you did, dpkg will not overwrite your changes. Please make sure to set + + "socket" => "/var/run/lighttpd/php.socket" + + yourself in that case. + + -- Arno Töll <[email protected]> Thu, 14 Mar 2013 01:57:42 +0100 + lighttpd (1.4.30-1) unstable; urgency=medium This releases includes an option to force Lighttpd to honor the cipher order diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/changelog new/debian/changelog --- old/debian/changelog 2012-11-21 10:06:54.000000000 +0100 +++ new/debian/changelog 2013-09-27 16:41:10.000000000 +0200 @@ -1,15 +1,46 @@ -lighttpd (1.4.32-0.1) UNRELEASED; urgency=low +lighttpd (1.4.33-0.1) unstable; urgency=low * Non-maintainer upload. - * New upstream release, fixing CVE-2012-5533 - * squeeze compatible hardening + * Imported Upstream version 1.4.33~rc1-r2901 + * Fix problem with perl exec in test suite + * Imported Upstream version 1.4.33 + + Drop patch for test suite - merged upstream + + -- Stefan Bühler <[email protected]> Fri, 27 Sep 2013 16:38:51 +0200 + +lighttpd (1.4.32-0.2) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Arno Töll: + + Drop the connection-dos.patch - merged upstream. + + Fix "mod_extforward missing configuration file": ship requested + configuration file (Closes: #697304) + + Remove access.conf, an obsolete conffiles as we should have done since + 2010 (Closes: #703215) + + Push debhelper's compat mode to 9, the use of maintscript helper requires + 8.1 so we had to push the debhelper b-d anyway. + + -- Stefan Bühler <[email protected]> Fri, 30 Aug 2013 19:56:04 +0200 + +lighttpd (1.4.31-4) unstable; urgency=high + + * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is + world-writable which may cause security implications if an attacker + manages to control /tmp/php.socket before the web server (re-)starts. + * Switch VCS to git + * Push standards version (no changes) + + -- Arno Töll <[email protected]> Thu, 14 Mar 2013 02:20:07 +0100 + +lighttpd (1.4.31-3) unstable; urgency=high - Arno Töll: * Fix "configuration files refer to wrong path for documentation" by merging a patch supplied by Denis Laxalde <[email protected]> - (Closes: #676641) + (Closes: #676641) + * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending + faulty Connection headers - -- Stefan Bühler <[email protected]> Wed, 21 Nov 2012 09:25:37 +0100 + -- Arno Töll <[email protected]> Wed, 21 Nov 2012 14:42:32 +0100 lighttpd (1.4.31-1) unstable; urgency=low diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/compat new/debian/compat --- old/debian/compat 2012-11-21 09:21:26.000000000 +0100 +++ new/debian/compat 2013-09-27 16:41:10.000000000 +0200 @@ -1 +1 @@ -8 +9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/conf-available/11-extforward.conf new/debian/conf-available/11-extforward.conf --- old/debian/conf-available/11-extforward.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/debian/conf-available/11-extforward.conf 2013-09-27 16:41:10.000000000 +0200 @@ -0,0 +1,6 @@ +# -*- depends: accesslog -*- + +server.modules += ( "mod_extforward" ) + +# extforward.headers = ("X-Cluster-Client-Ip") +# extforward.forwarder = ("10.0.0.232" => "trust") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/conf-available/15-fastcgi-php.conf new/debian/conf-available/15-fastcgi-php.conf --- old/debian/conf-available/15-fastcgi-php.conf 2012-11-21 09:21:26.000000000 +0100 +++ new/debian/conf-available/15-fastcgi-php.conf 2013-09-27 16:41:10.000000000 +0200 @@ -6,7 +6,7 @@ fastcgi.server += ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", - "socket" => "/tmp/php.socket", + "socket" => "/var/run/lighttpd/php.socket", "max-procs" => 1, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "4", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/control new/debian/control --- old/debian/control 2012-11-21 09:21:26.000000000 +0100 +++ new/debian/control 2013-09-27 16:41:10.000000000 +0200 @@ -6,17 +6,20 @@ Olaf van der Spek <[email protected]>, Arno Töll <[email protected]> Homepage: http://lighttpd.net/ -Build-Depends: debhelper (>= 8), mime-support, libssl-dev, +Build-Depends: debhelper (>= 9), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, - libxml2-dev, libkrb5-dev, perl -Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/ -Standards-Version: 3.9.3.1 + libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~) +Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git +Standards-Version: 3.9.4 Package: lighttpd Architecture: any +# Omitting this triggers a Lintian error +# That's a false positive these days +Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, lsb-base (>= 3.2-14) | systemd (>= 29.1), mime-support, libterm-readline-perl-perl @@ -33,6 +36,7 @@ * authentication (plain files, htpasswd, LDAP) * transparent content compression * conditional configuration + * HTTP proxying and configuration is straight-forward and easy. Package: lighttpd-doc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/gbp.conf new/debian/gbp.conf --- old/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/debian/gbp.conf 2013-09-27 16:41:10.000000000 +0200 @@ -0,0 +1,2 @@ +[DEFAULT] +pristine-tar = True diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.maintscript new/debian/lighttpd.maintscript --- old/debian/lighttpd.maintscript 1970-01-01 01:00:00.000000000 +0100 +++ new/debian/lighttpd.maintscript 2013-09-27 16:41:10.000000000 +0200 @@ -0,0 +1 @@ +rm_conffile /etc/lighttpd/conf-available/10-access.conf 1.4.31-4 lighttpd diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.postinst new/debian/lighttpd.postinst --- old/debian/lighttpd.postinst 2012-11-21 09:21:26.000000000 +0100 +++ new/debian/lighttpd.postinst 2013-09-27 16:41:10.000000000 +0200 @@ -8,6 +8,14 @@ then cp /usr/share/lighttpd/index.html /var/www/index.lighttpd.html fi + + # Remove a possibly dangling symlink for the obsolete conffile + if dpkg --compare-versions "$2" lt-nl "1.4.32-1" && \ + [ -L /etc/lighttpd/conf-enabled/10-access.conf -a \ + ! -f /etc/lighttpd/conf-available/10-access.conf ]; then + rm -f /etc/lighttpd/conf-enabled/10-access.conf + fi + fi # dh_installinit will call this function upon failure of rc.d invocation diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/rules new/debian/rules --- old/debian/rules 2012-11-21 10:15:17.000000000 +0100 +++ new/debian/rules 2013-09-27 16:41:10.000000000 +0200 @@ -1,15 +1,9 @@ #!/usr/bin/make -f -CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) -LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -export CFLAGS CPPFLAGS LDFLAGS - %: dh $@ override_dh_auto_configure: - dh_auto_configure -- \ --disable-dependency-tracking \ --libdir=/usr/lib/lighttpd \ @@ -25,7 +19,8 @@ --with-openssl \ --with-pcre \ --with-webdav-locks \ - --with-webdav-props + --with-webdav-props \ + $(shell dpkg-buildflags --export=configure) override_dh_fixperms: dh_fixperms ++++++ lighttpd_1.4.32-0.1.dsc -> lighttpd_1.4.33-0.1.dsc ++++++ --- /work/SRC/openSUSE:Factory/lighttpd/lighttpd_1.4.32-0.1.dsc 2013-06-28 17:46:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.lighttpd.new/lighttpd_1.4.33-0.1.dsc 2013-10-06 14:29:01.000000000 +0200 @@ -1,18 +1,15 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - Format: 3.0 (quilt) Source: lighttpd Binary: lighttpd, lighttpd-doc, lighttpd-mod-mysql-vhost, lighttpd-mod-trigger-b4-dl, lighttpd-mod-cml, lighttpd-mod-magnet, lighttpd-mod-webdav Architecture: any all -Version: 1.4.32-0.1 +Version: 1.4.33-0.1 Maintainer: Debian lighttpd maintainers <[email protected]> Uploaders: Krzysztof Krzyżaniak (eloy) <[email protected]>, Olaf van der Spek <[email protected]>, Arno Töll <[email protected]> Homepage: http://lighttpd.net/ -Standards-Version: 3.9.3.1 -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/ -Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk -Build-Depends: debhelper (>= 8), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl +Standards-Version: 3.9.4 +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git +Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git +Build-Depends: debhelper (>= 9), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~) Package-List: lighttpd deb httpd optional lighttpd-doc deb doc optional @@ -22,29 +19,11 @@ lighttpd-mod-trigger-b4-dl deb httpd optional lighttpd-mod-webdav deb httpd optional Checksums-Sha1: - 7177a9350f530f89c4538c75d08cfbc403844a5c 846615 lighttpd_1.4.32.orig.tar.gz - 8a7ecb534e425a72c6b7e6822798d442c00bf0b0 27113 lighttpd_1.4.32-0.1.debian.tar.gz + f309708105aadffba229a944d4c32423132119a5 555248 lighttpd_1.4.33.orig.tar.xz + f5ce6b8f6bae914c425ab7d7224136ddff535ba0 28109 lighttpd_1.4.33-0.1.debian.tar.gz Checksums-Sha256: - 0765e07dac432393dea3950639d5ba646ded95a9408ad002e54b3353ab6b9645 846615 lighttpd_1.4.32.orig.tar.gz - 56f480e6d5f13a61ca1a671c39b7f2b53a7f96ab23c3e85715afd3b824d3e77d 27113 lighttpd_1.4.32-0.1.debian.tar.gz + 2886aedc23857ca44df91b8fe6f36059ec82a859ae0eb230220e42abc331610c 555248 lighttpd_1.4.33.orig.tar.xz + e4c323876aeaf3dd06362874540b675d413fd28a7010d7caa1862e6faa255849 28109 lighttpd_1.4.33-0.1.debian.tar.gz Files: - d2eaf2ed77670bd25597f61c3a28c074 846615 lighttpd_1.4.32.orig.tar.gz - 6528cfe27a137f107a834f4ca560f40b 27113 lighttpd_1.4.32-0.1.debian.tar.gz - ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.12 (GNU/Linux) - -iQIcBAEBCAAGBQJQrJvoAAoJEODn0BcelbrXsOkP/2kmQwYGmfaVtJVhsY+zUHrG -WrdwuZxIKuADj1CAUNPJzZdVU7rNs1nBn/qJCmyGYhciBrSq9M6DdqM727q7aSKd -O4sH1TsaPIpTknj6oUnX1bM+2o+3miH9uFxVAXrJvbfAlD5tQ0nOiG87LNlFw1rk -oVEyT6VD84cusyYF8QKyR9l7QL9D5EmnLhZ14XKHkN3iWf5G3YmwAA3JRBL3/Ig3 -IMQVUBogQSIuJ76QtmLtisSRpfyvocFjzsUZcT9Q2Qygxlg4PF6rH9fSDJZjLSX6 -dd/DmDb/oV3GQuscr+LLoYVcyR8YaFAm/u6nKFhPWAqrQPKSLiSjbWa6vUefAF9r -40xhtwU6nVM+QKSIWE5e4kHnkAlNmfrk+Oi3XLLI5raWYKgh0ZMWh0nYCRfmbceG -l0+xOkAciPahFPzujHCaYkXYYuXZFvFl8DbJY6aVZVxMzxG75I/Lo/Z9cglQMgdI -UHGNsjkR92VVEKqqCgx5TlDylKSOVJs4YeGZcnXEBX2A0dJOTr3BNzl+ceDcxUSn -6FFAZVnL3riK8SaCaMZpcneZQBEdg3uIprAndAOGEWAgg5d+ZZVEQfEMsbFh4+JP -rz0QlXFqhZ2g+9hc5Y/WldAfXU4gW7vW7NbXGSuRva9mkad89Ti3uldGRtjejBD/ -Uh0Jc7Ix1XN94yfcvNtp -=JkaD ------END PGP SIGNATURE----- + 992cf8668812c5e4382d43dadd2c5f16 555248 lighttpd_1.4.33.orig.tar.xz + dccca47a9cca43b7d295289f065afca8 28109 lighttpd_1.4.33-0.1.debian.tar.gz -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
