Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #961843,
regarding buster-pu: package lighttpd/1.4.53-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961843
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Dear Maintainer,
Greetings! I am an upstream maintainer of lighttpd.
Please accept this backport of important patches from
lighttpd 1.4.54 (released 2019.05.27)
lighttpd 1.4.55 (released 2020.01.31)
The patches to backport have been hand-selected from the release
available in buster-backports lighttpd 1.4.55-1~bpo10+1 since 2020.03.06
These patches fix important bugs from upstream lighttpd issue tracker
https://redmine.lighttpd.net/issues (direct links below)
including a couple in the Debian Bug Tracker
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954759
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203
>From the debian/changelog:
* backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55
+ mod_evhost, mod_flv_streaming:
[regression] %0 pattern does not match hostnames without the domain part
https://redmine.lighttpd.net/issues/2932
+ mod_magnet: Lighttpd crashes on wrong return type in lua script
https://redmine.lighttpd.net/issues/2938
+ failed assertion on incoming bad request with server.error-handler
https://redmine.lighttpd.net/issues/2941
+ mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures
https://redmine.lighttpd.net/issues/2944
+ fix abort in server.http-parseopts with url-path-2f-decode enabled
https://redmine.lighttpd.net/issues/2945
+ remove repeated slashes in server.http-parseopts with
url-path-dotseg-remove, including leading "//"
+ [regression][Bisected] lighttpd uses way more memory with POST since
1.4.52
https://redmine.lighttpd.net/issues/2948 (closes: #954759)
+ OPTIONS should return 2xx status for non-existent resources if Allow is
set
https://redmine.lighttpd.net/issues/2939
+ use high precision stat timestamp (on systems where available) in etag
+ mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"
https://redmine.lighttpd.net/issues/2940
+ SUN_LEN in sock_addr.c (1.4.53, 1.4.54)
https://redmine.lighttpd.net/issues/2962
+ Embedded vim command line in conf file with no comment (#) hangs server
https://redmine.lighttpd.net/issues/2980
+ mod_authn_gssapi: 500 if fail to delegate creds
https://redmine.lighttpd.net/issues/2967
+ mod_authn_gssapi: option to store delegated creds
https://redmine.lighttpd.net/issues/2967
+ mod_auth: require digest uri= match original URI
HTTP digest authentication not compatible with some clients
https://redmine.lighttpd.net/issues/2974
+ mod_auth: send Authentication-Info nextnonce when nonce is approaching
expiration
+ mod_auth: http_auth_const_time_memeq improvement
+ mod_auth: http_auth_const_time_memeq_pad()
+ mod_auth: use constant time comparison when comparing digests
+ stricter request header parsing: reject WS following header field-name
https://redmine.lighttpd.net/issues/2985
+ stricter request header parsing: reject Transfer-Encoding + Content-Length
https://redmine.lighttpd.net/issues/2985
+ mod_openssl: reject invalid ALPN
+ mod_accesslog: parse multiple cookies
https://redmine.lighttpd.net/issues/2986
+ preserve %2b and %2B in query string
https://redmine.lighttpd.net/issues/2999
+ mod_auth: close connection after bad password
mitigation slows down brute force password attacks
https://redmine.lighttpd.net/boards/3/topics/8885
+ do not accept() > server.max-connections
+ update /var/run -> /run for systemd (closes: #929203)
debdiff attached. I think it may be easier to review the contents of
the files in debian/patches to see that the patches are generally small.
Please advise how best to proceed.
Thank you! Glenn
-- System Information:
Debian Release: 10.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
lighttpd-1.4.53-4+deb10u1.diff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.6
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
