Your message dated Sun, 22 Oct 2006 10:20:24 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#392890: fixed in lighttpd 1.4.13-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: lighttpd
Version: 1.4.13~r1385-1
Severity: important
Tags: patch
Hi
In /etc/lighttpd/lighttpd.conf the only condition for the /doc/ and
/images/ aliases is the host variable. These URLs could easily be reached
with a faked HTTP-Header.
My patch also activates directory listing only for the /doc/ and /images/
URLs. Getting a forbidden directory listing with a faked header was
possible before.
Regards
Adrian
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Versions of packages lighttpd depends on:
ii libattr1 2.4.32-1 Extended attribute shared library
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libldap2 2.1.30-13+b1 OpenLDAP libraries
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8c-3 SSL shared libraries
ii lsb-base 3.1-17 Linux Standard Base 3.1 init scrip
ii mime-support 3.37-1 MIME files 'mime.types' & 'mailcap
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages lighttpd recommends:
ii php4-cgi 4:4.4.4-3 server-side, HTML-embedded scripti
ii php5-cgi 5.1.6-4 server-side, HTML-embedded scripti
-- no debconf information
--- debian/lighttpd.conf 2006-10-13 14:19:53.000000000 +0200
+++ debian/lighttpd.conf 2006-10-14 03:03:28.000000000 +0200
@@ -125,12 +125,14 @@
#### handle Debian Policy Manual, Section 11.5. urls
#### and by default allow them only from localhost
-$HTTP["host"] == "localhost" {
+$HTTP["remoteip"] =~ "127.0.0.1" {
alias.url += (
"/doc/" => "/usr/share/doc/",
"/images/" => "/usr/share/images/"
)
- dir-listing.activate = "enable"
+ $HTTP["url"] =~ "^/doc/|^/images/" {
+ dir-listing.activate = "enable"
+ }
}
#### variable usage:
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.13-2
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.13-2_all.deb
to pool/main/l/lighttpd/lighttpd-doc_1.4.13-2_all.deb
lighttpd-mod-cml_1.4.13-2_i386.deb
to pool/main/l/lighttpd/lighttpd-mod-cml_1.4.13-2_i386.deb
lighttpd-mod-magnet_1.4.13-2_i386.deb
to pool/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-2_i386.deb
lighttpd-mod-mysql-vhost_1.4.13-2_i386.deb
to pool/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-2_i386.deb
lighttpd-mod-trigger-b4-dl_1.4.13-2_i386.deb
to pool/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-2_i386.deb
lighttpd-mod-webdav_1.4.13-2_i386.deb
to pool/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-2_i386.deb
lighttpd_1.4.13-2.diff.gz
to pool/main/l/lighttpd/lighttpd_1.4.13-2.diff.gz
lighttpd_1.4.13-2.dsc
to pool/main/l/lighttpd/lighttpd_1.4.13-2.dsc
lighttpd_1.4.13-2_i386.deb
to pool/main/l/lighttpd/lighttpd_1.4.13-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Krzysztof Krzyzaniak (eloy) <[EMAIL PROTECTED]> (supplier of updated lighttpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Oct 2006 11:14:28 +0200
Source: lighttpd
Binary: lighttpd-mod-mysql-vhost lighttpd-mod-cml lighttpd-doc
lighttpd-mod-trigger-b4-dl lighttpd lighttpd-mod-webdav lighttpd-mod-magnet
Architecture: source i386 all
Version: 1.4.13-2
Distribution: unstable
Urgency: medium
Maintainer: Debian lighttpd maintainers <[EMAIL PROTECTED]>
Changed-By: Krzysztof Krzyzaniak (eloy) <[EMAIL PROTECTED]>
Description:
lighttpd - A fast webserver with minimal memory footprint
lighttpd-doc - Documentation for lighttpd
lighttpd-mod-cml - Cache meta language module for lighttpd
lighttpd-mod-magnet - Control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 380080 392890
Changes:
lighttpd (1.4.13-2) unstable; urgency=medium
.
* Patch from Pierre Habouzit <[EMAIL PROTECTED]> to init.d applied
(closes: #380080)
* Patch from Adrian Friendli <[EMAIL PROTECTED]> to lighttpd.conf applied
(closes: #392890)
Files:
7aa8a62c7d74d238e1ab66b9f663e80b 1075 web optional lighttpd_1.4.13-2.dsc
936dc7e4f6160132c7de3b9fca609e8a 14762 web optional lighttpd_1.4.13-2.diff.gz
272be9c253473e7a2191bab017bd134a 96604 doc optional
lighttpd-doc_1.4.13-2_all.deb
24a4b0f0cdded44c693c576194f52399 288024 web optional lighttpd_1.4.13-2_i386.deb
a5130ad6217042657b41e3f7943f42de 58268 web optional
lighttpd-mod-mysql-vhost_1.4.13-2_i386.deb
903713e88a9217ce7e213090b958d1b1 59938 web optional
lighttpd-mod-trigger-b4-dl_1.4.13-2_i386.deb
c818f66c0fb7ac88353f0612463611d6 62868 web optional
lighttpd-mod-cml_1.4.13-2_i386.deb
f031d701be3b93002293cbe08f8cf860 62666 web optional
lighttpd-mod-magnet_1.4.13-2_i386.deb
b296510d6b14ba203ae7be6dcc57984e 69942 web optional
lighttpd-mod-webdav_1.4.13-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFM1rq+NMfSd6w7DERAoKnAKCKZGVIO60NoUO+IeegcssKl3N/zgCfdxbd
iH0gxZ/Q4HxSI9o/Qc6c/Dg=
=Arbz
-----END PGP SIGNATURE-----
--- End Message ---
