Your message dated Wed, 21 Nov 2012 20:46:13 +0100
with message-id <[email protected]>
and subject line Re: Bug#693890: unblock: lighttpd/1.4.31-3
has caused the Debian Bug report #693890,
regarding unblock: lighttpd/1.4.31-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
693890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693890
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package lighttpd. The upload fixes a critical Denial of Service
attack against the lighttpd web server by sending malicious HTTP Connection
headers.
Note, the upload also includes pure cosmetic non-invasive fixes to conffiles. I
did only include because I commited this fix to the VCS a while ago and I didn't
want to revert that again. These changes should be in order with your freeze
exception policies and I asked informally whether they are okay already. They do
not change any functionality and fix a documentation bug only.
Given the nature of this upload I'd also appreciate if you could age the upload.
A fix follows below inline
diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog 2012-06-02 00:15:25.000000000 +0200
+++ lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100
@@ -1,3 +1,13 @@
+lighttpd (1.4.31-3) unstable; urgency=high
+
+ * Fix "configuration files refer to wrong path for documentation"
+ by merging a patch supplied by Denis Laxalde <[email protected]>
+ (Closes: #676641)
+ * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending
+ faulty Connection headers
+
+ -- Arno Töll <[email protected]> Wed, 21 Nov 2012 14:42:32 +0100
+
lighttpd (1.4.31-1) unstable; urgency=low
* New upstream release
diff -Nru lighttpd-1.4.31/debian/conf-available/05-auth.conf
lighttpd-1.4.31/debian/conf-available/05-auth.conf
--- lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/authentication.txt.gz
+# /usr/share/doc/lighttpd/authentication.txt.gz
server.modules += ( "mod_auth" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-cgi.conf
lighttpd-1.4.31/debian/conf-available/10-cgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/cgi.txt
+# /usr/share/doc/lighttpd/cgi.txt
server.modules += ( "mod_cgi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf
lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
#
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
server.modules += ( "mod_fastcgi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-proxy.conf
lighttpd-1.4.31/debian/conf-available/10-proxy.conf
--- lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/proxy.txt
+# /usr/share/doc/lighttpd/proxy.txt
server.modules += ( "mod_proxy" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf
lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf
--- lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/rrdtool.txt
+# /usr/share/doc/lighttpd/rrdtool.txt
server.modules += ( "mod_rrdtool" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf
lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf
--- lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/simple-vhost.txt
+# /usr/share/doc/lighttpd/simple-vhost.txt
server.modules += ( "mod_simple_vhost" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssi.conf
lighttpd-1.4.31/debian/conf-available/10-ssi.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssi.txt
+# /usr/share/doc/lighttpd/ssi.txt
server.modules += ( "mod_ssi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssl.conf
lighttpd-1.4.31/debian/conf-available/10-ssl.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssl.txt
+# /usr/share/doc/lighttpd/ssl.txt
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
diff -Nru lighttpd-1.4.31/debian/conf-available/10-status.conf
lighttpd-1.4.31/debian/conf-available/10-status.conf
--- lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/status.txt
+# /usr/share/doc/lighttpd/status.txt
# http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus
server.modules += ( "mod_status" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-userdir.conf
lighttpd-1.4.31/debian/conf-available/10-userdir.conf
--- lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,7 +1,7 @@
## The userdir module provides a simple way to link user-based directories into
## the global namespace of the webserver.
##
-# /usr/share/doc/lighttpd-doc/userdir.txt
+# /usr/share/doc/lighttpd/userdir.txt
server.modules += ( "mod_userdir" )
diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
--- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,5 +1,5 @@
# -*- depends: fastcgi -*-
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
#
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
## Start an FastCGI server for php (needs the php5-cgi package)
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-cml.conf
lighttpd-1.4.31/debian/conf-available2/10-cml.conf
--- lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-11-21
02:12:50.000000000 +0100
@@ -2,7 +2,7 @@
## at one side and building a page from its fragments on the
## other side using LUA.
##
-## /usr/share/doc/lighttpd-doc/cml.txt
+## /usr/share/doc/lighttpd/cml.txt
server.modules += ( "mod_cml" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-magnet.conf
lighttpd-1.4.31/debian/conf-available2/10-magnet.conf
--- lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-11-21
02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/magnet.txt.gz
+# /usr/share/doc/lighttpd/magnet.txt.gz
# http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet
server.modules += ( "mod_magnet" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
--- lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
2012-11-21 02:12:50.000000000 +0100
@@ -1,6 +1,6 @@
## A module to prevent deep-linking from other sites.
##
-# /usr/share/doc/lighttpd-doc/trigger-b4-dl.html
+# /usr/share/doc/lighttpd/trigger-b4-dl.html
server.modules += ( "mod_trigger_b4_dl" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-webdav.conf
lighttpd-1.4.31/debian/conf-available2/10-webdav.conf
--- lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-02-27
19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-11-21
02:12:50.000000000 +0100
@@ -3,7 +3,7 @@
## the group defined which allows users to collaboratively edit and manage
## files on remote web servers.
##
-# /usr/share/doc/lighttpd-doc/webdav.txt
+# /usr/share/doc/lighttpd/webdav.txt
# http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV
server.modules += ( "mod_webdav" )
diff -Nru lighttpd-1.4.31/debian/patches/connection-dos.patch
lighttpd-1.4.31/debian/patches/connection-dos.patch
--- lighttpd-1.4.31/debian/patches/connection-dos.patch 1970-01-01
01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/connection-dos.patch 2012-11-21
14:44:32.000000000 +0100
@@ -0,0 +1,112 @@
+From: Stefan Bühler <[email protected]>
+Subject: Fix DoS in header value split (CVE-2012-5533)
+
+Fix DoS in header value split (reported by Jesse Sipprell; CVE-2012-5533)
+
+Any client which is able to connect to lighttpd can cause a DoS by sending
+"strange" Connection headers, for example: "Connection: TE,,Keep-Alive". This
+patch fixes the issue.
+--- a/src/request.c
++++ b/src/request.c
+@@ -209,9 +209,11 @@
+ #endif
+
+ static int http_request_split_value(array *vals, buffer *b) {
+- char *s;
+ size_t i;
+ int state = 0;
++
++ const char *current;
++ const char *token_start = NULL, *token_end = NULL;
+ /*
+ * parse
+ *
+@@ -222,53 +224,52 @@
+
+ if (b->used == 0) return 0;
+
+- s = b->ptr;
+-
+- for (i =0; i < b->used - 1; ) {
+- char *start = NULL, *end = NULL;
++ current = b->ptr;
++ for (i = 0; i < b->used; ++i, ++current) {
+ data_string *ds;
+
+ switch (state) {
+- case 0: /* ws */
+-
+- /* skip ws */
+- for (; (*s == ' ' || *s == '\t') && i < b->used - 1;
i++, s++);
+-
+-
+- state = 1;
+- break;
+- case 1: /* value */
+- start = s;
+-
+- for (; *s != ',' && i < b->used - 1; i++, s++);
+- if (start == s) break; /* empty fields are skipped */
+- end = s - 1;
+-
+- for (; end > start && (*end == ' ' || *end == '\t');
end--);
+- if (start == end) break; /* empty fields are skipped */
+-
+- if (NULL == (ds = (data_string
*)array_get_unused_element(vals, TYPE_STRING))) {
+- ds = data_string_init();
++ case 0: /* find start of a token */
++ switch (*current) {
++ case ' ':
++ case '\t': /* skip white space */
++ case ',': /* skip empty token */
++ break;
++ case '\0': /* end of string */
++ return 0;
++ default:
++ /* found real data, switch to state 1 to find
the end of the token */
++ token_start = token_end = current;
++ state = 1;
++ break;
+ }
++ break;
++ case 1: /* find end of token and last non white space character
*/
++ switch (*current) {
++ case ' ':
++ case '\t':
++ /* space - don't update token_end */
++ break;
++ case ',':
++ case '\0': /* end of string also marks the end of a
token */
++ if (NULL == (ds = (data_string
*)array_get_unused_element(vals, TYPE_STRING))) {
++ ds = data_string_init();
++ }
+
+- buffer_copy_string_len(ds->value, start, end-start+1);
+- array_insert_unique(vals, (data_unset *)ds);
++ buffer_copy_string_len(ds->value, token_start,
token_end-token_start+1);
++ array_insert_unique(vals, (data_unset *)ds);
+
+- if (*s == ',') {
+ state = 0;
+- i++;
+- s++;
+- } else {
+- /* end of string */
+-
+- state = 2;
++ break;
++ default:
++ /* no white space, update token_end to include
current character */
++ token_end = current;
++ break;
+ }
+ break;
+- default:
+- i++;
+- break;
+ }
+ }
++
+ return 0;
+ }
+
diff -Nru lighttpd-1.4.31/debian/patches/series
lighttpd-1.4.31/debian/patches/series
--- lighttpd-1.4.31/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ lighttpd-1.4.31/debian/patches/series 2012-11-21 02:12:50.000000000
+0100
@@ -0,0 +1 @@
+connection-dos.patch
unblock lighttpd/1.4.31-3
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
On Wed, Nov 21, 2012 at 15:06:20 +0100, Arno Töll wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package lighttpd. The upload fixes a critical Denial of Service
> attack against the lighttpd web server by sending malicious HTTP Connection
> headers.
>
Unblocked.
Cheers,
Julien
signature.asc
Description: Digital signature
--- End Message ---
