[Bug 127718] Re: lighttpd security fixes
This is (hopefully) the last of the debdiff series. All latest feisty, edgy and dapper has been tested in pbuilder. No real testing is given to either of them, though. ** Attachment added: [edgy] debdiff http://launchpadlibrarian.net/8743252/lighttpd_1.4.13%7Er1370-1ubuntu1.2.debdiff -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
I tested the fiesty patch: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/127718/comments/4 Everything built and worked fine for me. lighttpd served pages fine and didn't have any errors. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
I can also confirm this mod_access bug: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt bug is present in lighttpd-1.4.13-9ubuntu4 and fixed in lighttpd-1.4.13-9ubuntu4.1 (version created after applying debdiff). To test I edited this line in /etc/lighttpd/lighttpd.conf: url.access-deny= ( ~, .inc, .txt ) I created a simple test.txt file in /var/www/ and could not access it using either http://hostname/test.txt or http://hostname/test.txt/. I just wanted to comment on my testing methods in case anyone's interested. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
Tested the dapper patch and it builds and serves pages fine. I followed the same procedure for dapper as I did for feisty above. The mod_access bug went away with the update. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
Fixed in gutsy, publications for dapper/feisty are on their way now. :) ** Changed in: lighttpd (Ubuntu Feisty) Status: In Progress = Fix Committed ** Changed in: lighttpd (Ubuntu Dapper) Status: In Progress = Fix Committed ** Changed in: lighttpd (Ubuntu) Status: In Progress = Fix Released -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
aplied this patch http://launchpadlibrarian.net/8743252/lighttpd_1.4.13%7Er1370-1ubuntu1.2.debdiff builded and tested in Edgy No problems found -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** Changed in: lighttpd (Ubuntu Feisty) Status: Fix Committed = Fix Released ** Changed in: lighttpd (Ubuntu Dapper) Status: Fix Committed = Fix Released ** Changed in: lighttpd (Ubuntu Edgy) Status: In Progress = Fix Committed -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** Changed in: lighttpd (Ubuntu Edgy) Status: Fix Committed = Fix Released -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
Attached debdiff that provides security fixes. Trying in a feisty pbuilder now. ** Attachment added: [feisty] debdiff to provide security fixes http://launchpadlibrarian.net/8736547/lighttpd_1.4.13-9ubuntu4.1.debdiff -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
Edgy debdiff ** Attachment added: [edgy] debdiff to provide security fixes http://launchpadlibrarian.net/8736783/lighttpd_1.4.13%7Er1370-1ubuntu1.2.debdiff -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3949 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3946 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3947 -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
Thanks for preparing these diffs! Is the empty file tests/docroot/www/index.html~ actually supposed to be included? That seems like a backup file to me. Have these patches been runtime tested too? The changelog log looks great (very detailed!) the only thing I would change is to include the CVEs for each patch so that the automatic CVE scanner can find them and mark them as fixed. ** Changed in: lighttpd (Ubuntu Edgy) Importance: Undecided = High Assignee: (unassigned) = Áron Sisak Status: New = In Progress ** Changed in: lighttpd (Ubuntu Feisty) Importance: Undecided = High Assignee: (unassigned) = Áron Sisak Status: New = In Progress -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
Two more issues fixed, CVE numbers listed. ** Attachment added: debdiff to fix CVEs 2007-3946 - 2007-3950 http://launchpadlibrarian.net/8739082/lighttpd_1.4.13-9ubuntu4.1.debdiff ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3950 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3948 -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
BTW tests/docroot/www/index.html~ comes from upstream. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** Attachment added: [edgy] Two more issues fixed, CVE numbers listed. http://launchpadlibrarian.net/8740079/lighttpd_1.4.13%7Er1370-1ubuntu1.2.debdiff ** Changed in: lighttpd (Ubuntu Dapper) Importance: Undecided = High Assignee: (unassigned) = Áron Sisak Status: New = In Progress -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 127718] Re: lighttpd security fixes
On Wed, Aug 08, 2007 at 08:13:41PM -, Áron Sisak wrote: BTW tests/docroot/www/index.html~ comes from upstream. Is it required to fix the problems? It appears to be an empty file. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
tests/docroot/www/index.html~ is needed so that the test suite does not fail. -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** Attachment added: [dapper] debdiff http://launchpadlibrarian.net/8741504/lighttpd_1.4.11-3ubuntu3.4.debdiff -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** Changed in: lighttpd (Ubuntu) Importance: Low = High -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 127718] Re: lighttpd security fixes
** Changed in: lighttpd (Ubuntu) Assignee: (unassigned) = Áron Sisak ** Changed in: lighttpd (Ubuntu) Importance: Undecided = Low Status: New = In Progress -- lighttpd security fixes https://bugs.launchpad.net/bugs/127718 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs