Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package lighttpd. The upload fixes a critical Denial of Service attack against the lighttpd web server by sending malicious HTTP Connection headers. Note, the upload also includes pure cosmetic non-invasive fixes to conffiles. I did only include because I commited this fix to the VCS a while ago and I didn't want to revert that again. These changes should be in order with your freeze exception policies and I asked informally whether they are okay already. They do not change any functionality and fix a documentation bug only. Given the nature of this upload I'd also appreciate if you could age the upload. A fix follows below inline diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog --- lighttpd-1.4.31/debian/changelog 2012-06-02 00:15:25.000000000 +0200 +++ lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100 @@ -1,3 +1,13 @@ +lighttpd (1.4.31-3) unstable; urgency=high + + * Fix "configuration files refer to wrong path for documentation" + by merging a patch supplied by Denis Laxalde <[email protected]> + (Closes: #676641) + * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending + faulty Connection headers + + -- Arno Töll <[email protected]> Wed, 21 Nov 2012 14:42:32 +0100 + lighttpd (1.4.31-1) unstable; urgency=low * New upstream release diff -Nru lighttpd-1.4.31/debian/conf-available/05-auth.conf lighttpd-1.4.31/debian/conf-available/05-auth.conf --- lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/authentication.txt.gz +# /usr/share/doc/lighttpd/authentication.txt.gz server.modules += ( "mod_auth" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-cgi.conf lighttpd-1.4.31/debian/conf-available/10-cgi.conf --- lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/cgi.txt +# /usr/share/doc/lighttpd/cgi.txt server.modules += ( "mod_cgi" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf --- lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz +# /usr/share/doc/lighttpd/fastcgi.txt.gz # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi server.modules += ( "mod_fastcgi" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-proxy.conf lighttpd-1.4.31/debian/conf-available/10-proxy.conf --- lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/proxy.txt +# /usr/share/doc/lighttpd/proxy.txt server.modules += ( "mod_proxy" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf --- lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/rrdtool.txt +# /usr/share/doc/lighttpd/rrdtool.txt server.modules += ( "mod_rrdtool" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf --- lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/simple-vhost.txt +# /usr/share/doc/lighttpd/simple-vhost.txt server.modules += ( "mod_simple_vhost" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssi.conf lighttpd-1.4.31/debian/conf-available/10-ssi.conf --- lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/ssi.txt +# /usr/share/doc/lighttpd/ssi.txt server.modules += ( "mod_ssi" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssl.conf lighttpd-1.4.31/debian/conf-available/10-ssl.conf --- lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/ssl.txt +# /usr/share/doc/lighttpd/ssl.txt $SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" diff -Nru lighttpd-1.4.31/debian/conf-available/10-status.conf lighttpd-1.4.31/debian/conf-available/10-status.conf --- lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/status.txt +# /usr/share/doc/lighttpd/status.txt # http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus server.modules += ( "mod_status" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-userdir.conf lighttpd-1.4.31/debian/conf-available/10-userdir.conf --- lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,7 +1,7 @@ ## The userdir module provides a simple way to link user-based directories into ## the global namespace of the webserver. ## -# /usr/share/doc/lighttpd-doc/userdir.txt +# /usr/share/doc/lighttpd/userdir.txt server.modules += ( "mod_userdir" ) diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf --- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,5 +1,5 @@ # -*- depends: fastcgi -*- -# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz +# /usr/share/doc/lighttpd/fastcgi.txt.gz # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi ## Start an FastCGI server for php (needs the php5-cgi package) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-cml.conf lighttpd-1.4.31/debian/conf-available2/10-cml.conf --- lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-11-21 02:12:50.000000000 +0100 @@ -2,7 +2,7 @@ ## at one side and building a page from its fragments on the ## other side using LUA. ## -## /usr/share/doc/lighttpd-doc/cml.txt +## /usr/share/doc/lighttpd/cml.txt server.modules += ( "mod_cml" ) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-magnet.conf lighttpd-1.4.31/debian/conf-available2/10-magnet.conf --- lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/magnet.txt.gz +# /usr/share/doc/lighttpd/magnet.txt.gz # http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet server.modules += ( "mod_magnet" ) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf --- lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,6 +1,6 @@ ## A module to prevent deep-linking from other sites. ## -# /usr/share/doc/lighttpd-doc/trigger-b4-dl.html +# /usr/share/doc/lighttpd/trigger-b4-dl.html server.modules += ( "mod_trigger_b4_dl" ) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-webdav.conf lighttpd-1.4.31/debian/conf-available2/10-webdav.conf --- lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-11-21 02:12:50.000000000 +0100 @@ -3,7 +3,7 @@ ## the group defined which allows users to collaboratively edit and manage ## files on remote web servers. ## -# /usr/share/doc/lighttpd-doc/webdav.txt +# /usr/share/doc/lighttpd/webdav.txt # http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV server.modules += ( "mod_webdav" ) diff -Nru lighttpd-1.4.31/debian/patches/connection-dos.patch lighttpd-1.4.31/debian/patches/connection-dos.patch --- lighttpd-1.4.31/debian/patches/connection-dos.patch 1970-01-01 01:00:00.000000000 +0100 +++ lighttpd-1.4.31/debian/patches/connection-dos.patch 2012-11-21 14:44:32.000000000 +0100 @@ -0,0 +1,112 @@ +From: Stefan Bühler <[email protected]> +Subject: Fix DoS in header value split (CVE-2012-5533) + +Fix DoS in header value split (reported by Jesse Sipprell; CVE-2012-5533) + +Any client which is able to connect to lighttpd can cause a DoS by sending +"strange" Connection headers, for example: "Connection: TE,,Keep-Alive". This +patch fixes the issue. +--- a/src/request.c ++++ b/src/request.c +@@ -209,9 +209,11 @@ + #endif + + static int http_request_split_value(array *vals, buffer *b) { +- char *s; + size_t i; + int state = 0; ++ ++ const char *current; ++ const char *token_start = NULL, *token_end = NULL; + /* + * parse + * +@@ -222,53 +224,52 @@ + + if (b->used == 0) return 0; + +- s = b->ptr; +- +- for (i =0; i < b->used - 1; ) { +- char *start = NULL, *end = NULL; ++ current = b->ptr; ++ for (i = 0; i < b->used; ++i, ++current) { + data_string *ds; + + switch (state) { +- case 0: /* ws */ +- +- /* skip ws */ +- for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++); +- +- +- state = 1; +- break; +- case 1: /* value */ +- start = s; +- +- for (; *s != ',' && i < b->used - 1; i++, s++); +- if (start == s) break; /* empty fields are skipped */ +- end = s - 1; +- +- for (; end > start && (*end == ' ' || *end == '\t'); end--); +- if (start == end) break; /* empty fields are skipped */ +- +- if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { +- ds = data_string_init(); ++ case 0: /* find start of a token */ ++ switch (*current) { ++ case ' ': ++ case '\t': /* skip white space */ ++ case ',': /* skip empty token */ ++ break; ++ case '\0': /* end of string */ ++ return 0; ++ default: ++ /* found real data, switch to state 1 to find the end of the token */ ++ token_start = token_end = current; ++ state = 1; ++ break; + } ++ break; ++ case 1: /* find end of token and last non white space character */ ++ switch (*current) { ++ case ' ': ++ case '\t': ++ /* space - don't update token_end */ ++ break; ++ case ',': ++ case '\0': /* end of string also marks the end of a token */ ++ if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { ++ ds = data_string_init(); ++ } + +- buffer_copy_string_len(ds->value, start, end-start+1); +- array_insert_unique(vals, (data_unset *)ds); ++ buffer_copy_string_len(ds->value, token_start, token_end-token_start+1); ++ array_insert_unique(vals, (data_unset *)ds); + +- if (*s == ',') { + state = 0; +- i++; +- s++; +- } else { +- /* end of string */ +- +- state = 2; ++ break; ++ default: ++ /* no white space, update token_end to include current character */ ++ token_end = current; ++ break; + } + break; +- default: +- i++; +- break; + } + } ++ + return 0; + } + diff -Nru lighttpd-1.4.31/debian/patches/series lighttpd-1.4.31/debian/patches/series --- lighttpd-1.4.31/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ lighttpd-1.4.31/debian/patches/series 2012-11-21 02:12:50.000000000 +0100 @@ -0,0 +1 @@ +connection-dos.patch unblock lighttpd/1.4.31-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/20121121140620.8287.17350.reportbug@localhost
