Hello community, here is the log from the commit of package lighttpd for openSUSE:11.4 checked in at Mon Jan 30 23:59:53 CET 2012.
-------- --- old-versions/11.4/all/lighttpd/lighttpd.changes 2010-04-22 13:55:48.000000000 +0200 +++ 11.4/lighttpd/lighttpd.changes 2012-01-27 12:19:47.000000000 +0100 @@ -1,0 +2,13 @@ +Fri Jan 27 11:18:04 UTC 2012 - mrueck...@suse.de + +- added lighttpd-1.4.26_honor_cipher_order.patch: + [ssl] add option to honor server cipher order, true by default + (fixes lighttpd#2364) + +------------------------------------------------------------------- +Wed Dec 21 17:54:06 UTC 2011 - mrueck...@suse.de + +- added lighttpd-1.4.x_mod_auth_signedness_error.patch: + Fix a small signedness error in mod_auth CVE-2011-4362 (bnc#733607) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/lighttpd Destination is old-versions/11.4/UPDATES/all/lighttpd calling whatdependson for 11.4-i586 New: ---- lighttpd-1.4.26_honor_cipher_order.patch lighttpd-1.4.x_mod_auth_signedness_error.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lighttpd.spec ++++++ --- /var/tmp/diff_new_pack.gEQPoC/_old 2012-01-30 23:59:12.000000000 +0100 +++ /var/tmp/diff_new_pack.gEQPoC/_new 2012-01-30 23:59:12.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package lighttpd (Version 1.4.26) +# spec file for package lighttpd # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: lighttpd Version: 1.4.26 -Release: 2 +Release: 6.<RELEASE7> # %define pkg_name lighttpd %define pkg_user lighttpd @@ -92,6 +92,8 @@ Source7: lighttpd.logrotate Patch: lighttpd-1.4.13_geoip.patch Patch1: lighttpd-ssl-retval-fix.patch +Patch2: lighttpd-1.4.x_mod_auth_signedness_error.patch +Patch3: lighttpd-1.4.26_honor_cipher_order.patch # Summary: A Secure, Fast, Compliant, and Very Flexible Web Server @@ -284,6 +286,8 @@ %patch %endif %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %if 0%{?with_geoip} ++++++ lighttpd-1.4.26_honor_cipher_order.patch ++++++ commit 687b52298d7d87a5ce0919f34a1666724a709c88 Author: Stefan Bühler <stbueh...@web.de> Date: Wed Nov 30 19:59:24 2011 +0000 [ssl] add option to honor server cipher order, true by default (fixes #2364) git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2810 152afb58-edef-0310-8abb-c4023f1b3aa9 Conflicts: NEWS doc/config/lighttpd.conf src/base.h src/configfile.c diff --git a/src/base.h b/src/base.h index 4243bd2..9d4efa0 100644 --- a/src/base.h +++ b/src/base.h @@ -275,6 +275,7 @@ typedef struct { buffer *ssl_pemfile; buffer *ssl_ca_file; buffer *ssl_cipher_list; + unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ unsigned short ssl_use_sslv2; unsigned short ssl_verifyclient; unsigned short ssl_verifyclient_enforce; diff --git a/src/configfile.c b/src/configfile.c index 3037185..1137825 100644 --- a/src/configfile.c +++ b/src/configfile.c @@ -100,6 +100,7 @@ static int config_insert(server *srv) { { "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER }, /* 58 */ { "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 59 */ { "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */ + { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 61 */ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, { "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, @@ -168,6 +169,7 @@ static int config_insert(server *srv) { s->max_write_idle = 360; s->use_xattr = 0; s->is_ssl = 0; + s->ssl_honor_cipher_order = 1; s->ssl_use_sslv2 = 0; s->use_ipv6 = 0; s->defer_accept = 0; @@ -231,6 +233,7 @@ static int config_insert(server *srv) { cv[47].destination = s->ssl_cipher_list; cv[48].destination = &(s->ssl_use_sslv2); + cv[61].destination = &(s->ssl_honor_cipher_order); cv[49].destination = &(s->etag_use_inode); cv[50].destination = &(s->etag_use_mtime); cv[51].destination = &(s->etag_use_size); @@ -319,6 +322,7 @@ int config_setup_connection(server *srv, connection *con) { #endif PATCH(ssl_ca_file); PATCH(ssl_cipher_list); + PATCH(ssl_honor_cipher_order); PATCH(ssl_use_sslv2); PATCH(etag_use_inode); PATCH(etag_use_mtime); @@ -383,6 +387,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) { #endif } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { PATCH(ssl_ca_file); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { + PATCH(ssl_honor_cipher_order); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { PATCH(ssl_use_sslv2); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) { diff --git a/src/network.c b/src/network.c index b362129..be452a6 100644 --- a/src/network.c +++ b/src/network.c @@ -539,6 +539,10 @@ int network_init(server *srv) { ERR_error_string(ERR_get_error(), NULL)); return -1; } + + if (s->ssl_honor_cipher_order) { + SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } } if (!buffer_is_empty(s->ssl_ca_file)) { ++++++ lighttpd-1.4.x_mod_auth_signedness_error.patch ++++++ commit 1adaac589ced706e1badd751f54390086b1d0767 Author: Marcus Rückert <mrueck...@suse.de> Date: Tue Dec 20 13:08:51 2011 +0100 - merge 6c9dff7cda6593d9a566413347dd5adfe80c86a8 [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) diff --git a/src/http_auth.c b/src/http_auth.c index 0c0c4a5..6609dc7 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -89,7 +89,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) { ch = in[0]; /* run through the whole string, converting as we go */ for (i = 0; i < in_len; i++) { - ch = in[i]; + ch = (unsigned char) in[i]; if (ch == '\0') break; diff --git a/tests/mod-auth.t b/tests/mod-auth.t index 475a5f6..89ead9d 100755 --- a/tests/mod-auth.t +++ b/tests/mod-auth.t @@ -8,7 +8,7 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 14; +use Test::More tests => 15; use LightyTest; my $tf = LightyTest->new(); @@ -25,6 +25,14 @@ ok($tf->handle_http($t) == 0, 'Missing Auth-token'); $t->{REQUEST} = ( <<EOF GET /server-status HTTP/1.0 +Authorization: Basic \x80mFuOmphb +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ]; +ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token'); + +$t->{REQUEST} = ( <<EOF +GET /server-status HTTP/1.0 Authorization: Basic amFuOmphb EOF ); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org