Public bug reported: Binary package hint: lighttpd
Dear Colleagues, lighttpd 1.4.19 was released on 2008-03-10 (http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany): It fixes all our security updates in hardy and as well a list of other buggers like: * added support for If-Range: <date> (#1346) * added support for matching $HTTP["scheme"] in configs * fixed initgroups() called after chroot (#1384) * fixed case-sensitive check for Auth-Method (#1456) * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428) * fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489) * print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler * prevent crash in certain php-fcgi configurations (#841) * add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507) * open log immediately after daemonizing, fixes SIGPIPEs on startup (#165) * HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499) * generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491) * support letterhomes in mod_userdir (#1473) * support chained proxies in mod_extforward (#1528) * fixed bogus "cgi died ?" if we kill the CGI process on shutdown * fixed ECONNRESET handling in network-openssl * fixed handling of EAGAIN in network-linux-sendfile (#657) * reset conditional cache (#1164) * create directories in mod_compress (was broken with alias/userdir) (#1027) * fixed out of range access in fd array (#1562, #372) (CVE-2008-0983) * mod_compress should check if the request is already handled, e.g. by fastcgi (#1565) * remove broken workaround for buggy Opera version with ssl/chunked encoding (#285) * generate etag/last-modified header for on-the-fly-compressed files (#1171) * req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324) * fixed memory leak on windows (#1347) * fixed building outside of the src dir (#1349) * fixed including of stdint.h/inttypes.h in etag.c (#1413) * do not add Accept-Ranges header if range-request is disabled (#1449) * log the ip of failed auth tries in error.log (enhancement #1544) * fixed RoundRobin in mod_proxy (#516) * check for symlinks after successful pathinfo matching (#1574) * fixed mod-proxy.t to run with a builddir outside of the src dir * do not suppress content on "307 Temporary Redirect" (#1412) * fixed Content-Length header if response body gets removed in connections.c (#1412, part 2) * do not generate a "Content-Length: 0" header for HEAD requests, added test too * remove compress cache file if compression or write failed (#1150) * fixed body handling of status 300 requests * spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575) * fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111) * fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623) * fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440) * workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270) * make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found * fixed handling of waitpid() == EINTR mod_ssi on solaris I packaged 1.4.19 (it's not already in debian) and added all packaging changes from the debian version to 1.4.19. Rational: First, we can drop all patches from 1.4.18 package. Second, all CVEs are fixed upstream, regarding the LTS version of hardy we don't have a lot to take care anymore. Only newer security issues needs to be fixed. third, it is fixes more bugs, instead of introducing new features (this will be the case for 1.5.) Please find attached all necessary files for the FeatureFreezeException. ** Affects: lighttpd (Ubuntu) Importance: Undecided Status: New -- [FFe] lighttpd 1.4.19 https://bugs.launchpad.net/bugs/201439 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
