lighttpd (1.4.13-9ubuntu4.6) feisty-security; urgency=low * SECURITY UPDATE: (LP: #209627) + debian/patches/91_CVE-2008-1531.dpatch - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. * References + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531 + http://trac.lighttpd.net/trac/changeset/2136 + http://trac.lighttpd.net/trac/changeset/2139 -- Emanuele Gentili Sun, 06 Apr 2008 23:55:30 +0200 lighttpd (1.4.13-9ubuntu4.5) feisty-security; urgency=low * SECURITY UPDATE: (LP: #200987) + debian/patches/91_CVE-2008-1270.dpatch - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. * References + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270 + http://trac.lighttpd.net/trac/ticket/1587 + http://trac.lighttpd.net/trac/changeset/2120 -- Emanuele Gentili Tue, 11 Mar 2008 14:51:11 +0100 lighttpd (1.4.13-9ubuntu4.4) feisty-security; urgency=low * SECURITY UPDATE: + debian/patches/91_CVE-2008-1111.dpatch: - Fixes CVE-2008-1111 "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source code of CGI scripts instead of a 500 error, which might allow remote attackers to obtain sensitive information." (LP: #198731) * References + http://trac.lighttpd.net/trac/changeset/2107 + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111 -- Emanuele Gentili Wed, 05 Mar 2008 14:53:26 +0100 lighttpd (1.4.13-9ubuntu4.3) feisty-security; urgency=low * SECURITY UPDATE: + debian/patches/90_maxfds_crash_fix.dpatch: - added patch from upstream to fix the maxfds issue (LP: #195380) * References + http://trac.lighttpd.net/trac/ticket/1562 -- Emanuele Gentili Mon, 25 Feb 2008 16:35:30 +0100 lighttpd (1.4.13-9ubuntu4.2) feisty-security; urgency=low * SECURITY UPDATE: fix DoS crash from improper EOL handling in mod_cgi.c (backported from upstream 1.4.17) * SECURITY UPDATE: fix potential DoS crash in etag.c. This patch also fixes possible dereferencing a NULL pointer in buffer.c (both backported from upstream 1.4.17) * SECURITY UPDATE: fix arbitrary code execution in mod_fastcgi.c due to improper handling of content length in HTTP headers. Patch from upstream * References https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138309 https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/138310 http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt CVE-2007-4727 -- Jamie Strandboge Sat, 10 Sep 2007 14:57:39 -0400 lighttpd (1.4.13-9ubuntu4.1) feisty-security; urgency=low * SECURITY UPDATE: remote crash on duplicate header keys with line-wrapping, various mod_auth bugs, mod_access bug and mod_fastcgi local DOS bug (LP:#127718) * debian/patches/06_security_lighttpd-1.4.x_duplicated_headers_with_folding_crash.dpatch: - Fixes header parsing bug (Lighttpd SA 2007:03, CVE 2007-3947) - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch * debian/patches/07_security_lighttpd-1.4.x_mod_auth_sec.dpatch: - Fixes various mod_auth bugs (Lighttpd SA 2007:04-07, CVE 2007-3946) - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_04.txt, http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_05.txt, http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_06.txt, http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_07.txt - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_auth_sec.patch * debian/patches/08_security_lighttpd-1.4.x_mod_access_bypass.dpatch: - Fixes mod_access bug (Lighttpd SA 2007:08, CVE 2007-3949) - Description: http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt - Patch: http://www.lighttpd.net/assets/2007/7/24/lighttpd-1.4.x_mod_access_bypass.patch * debian/patches/09_security_lighttpd-1.4.x_connections.dpatch: - Fixes crashes with accessing out of bound fd array index (CVE 2007-3948) - Description: http://secunia.com/cve_reference/CVE-2007-3948/ - Patch: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873 * debian/patches/10_security_lighttpd-1.4.x_mod_scgi_segfault.dpatch - Fixes segmentation fault in mod_scgi, ... (CVE 2007-3950) - Description: http://secunia.com/cve_reference/CVE-2007-3950/ - Patch: http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882 * References: - Summary: http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it - External references: http://secunia.com/advisories/26130/ -- Aron Sisak Wed, 08 Aug 2007 11:37:59 +0200 lighttpd (1.4.13-9ubuntu4) feisty; urgency=low * Added LDAP connection leak fix from Debian (Bug: #413917) - debian/patches/03_ldap_leak_bugfix.dpatch * Added security fixes from 1.4.14 (Closes LP: #106416) - Remote DOS in CRLF parsing (CVE-2007-1869) debian/patches/04_security_crlf_parsing_dos.dpatch - DOS with files with mtime 0 (CVE-2007-1870) debian/patches/05_security_zero_mtime_crash.dpatch -- Lukas Fittl Sat, 14 Apr 2007 05:26:10 +0200 lighttpd (1.4.13-9ubuntu3) feisty; urgency=low * Make sure that upgrades succeed, even if we can't restart lighttpd (LP: #86882) -- Soren Hansen Thu, 29 Mar 2007 01:10:06 +0200 lighttpd (1.4.13-9ubuntu2) feisty; urgency=low * Add fam/gamin stat cache engine support (Closes: LP#80818) -- Soren Hansen Mon, 19 Feb 2007 13:09:19 +0100 lighttpd (1.4.13-9ubuntu1) feisty; urgency=low * Merge from Debian unstable. Remaining Ubuntu changes: - Clean environment in init.d script - Replace Depends: on perl with Depends: on libterm-readline-perl-perl -- Adrien Cunin Sat, 13 Jan 2007 21:38:05 +0100 lighttpd (1.4.13-9) unstable; urgency=low * debian/lighttpd.default - removed, it is not ready yet. We'll back after etch release (closes: #406021) * debian/index.html.md5 - fixed path to file (full path to index.html) -- Krzysztof Krzyzaniak (eloy) Tue, 2 Jan 2007 14:24:42 +0100 lighttpd (1.4.13-8) unstable; urgency=medium * Typo fixed in debian/lighttpd.postinst (closes: #405123) -- Krzysztof Krzyzaniak (eloy) Tue, 2 Jan 2007 13:23:25 +0100 lighttpd (1.4.13-7ubuntu1) feisty; urgency=low * Merge from debian unstable, remaining changes: - Clean environment in init.d script - Replace Depends: on perl with Depends: on libterm-readline-perl-perl -- Soren Hansen Sat, 30 Dec 2006 16:22:11 +0100 lighttpd (1.4.13-7) unstable; urgency=low [ Franz Pletz ] * debian/conf-available/10-cgi.conf: + match /cgi-bin/ only at the beginning of a path + convert match for host == localhost to remoteip == 127.0.0.1 like in lighttpd.conf; due to bugs in mod_alias, the cgi-bin, doc and images aliases didn't work anymore * debian/lighttpd.logrotate + use reload instead of force-reload for graceful restart (closes: #398169, #380080) * added debian/patches/01_mod_fastcgi_missing_cleanup.dpatch + source: http://trac.lighttpd.net/trac/ticket/910 + fixes memleak in mod_fastcgi (closes: #400167) * added debian/patches/02_fastcgi_detach.dpatch + disconnect stderr/stdout from the terminal (closes: #368670) + point them either to errorlog or /dev/null * debian/control: added myself to Uploaders * Don't touch /var/www/index.html, create /var/www/index.lighttpd.html instead (closes: #397492) + debian/lighttpd.postinst: copy to /var/www/index.lighttpd.html + debian/lighttpd.conf: add index.lighttpd.html as first index-filename [ Krzysztof Krzyzaniak (eloy) ] * Typo fixed in index.html (closes: #403620) -- Franz Pletz Fri, 8 Dec 2006 16:15:27 +0100 lighttpd (1.4.13-6ubuntu3) feisty; urgency=low * Fix typo in init-script -- Soren Hansen Wed, 13 Dec 2006 11:52:54 +0100 lighttpd (1.4.13-6ubuntu2) feisty; urgency=low * Clean the environment before starting. Fixes: LP#53840 -- Soren Hansen Sun, 10 Dec 2006 16:18:55 +0100 lighttpd (1.4.13-6ubuntu1) feisty; urgency=low * Merge from debian unstable, remaining changes: - Replace Depends: on perl with Depends: on libterm-readline-perl-perl -- Soren Hansen Fri, 8 Dec 2006 14:40:42 +0100 lighttpd (1.4.13-6) unstable; urgency=low * debian/lighttpd.postinst: change only permission for /var/log/lighttpd/ -- Krzysztof Krzyzaniak (eloy) Mon, 4 Dec 2006 16:34:11 +0100 lighttpd (1.4.13-5) unstable; urgency=low * debian/control: + perl added to dependencies (closes: #396629) * debian/conf-available/10-fastcgi.conf: + /usr/bin/php4-cgi changed to /usr/bin/php-cgi (closes: #397142) * debian/lighttpd.postinst: fix permission of /var/log/lighttpd (closes: #398834) * debian/lighty-enable-mod - fixed bug with undefined values (closes: #397493) -- Krzysztof Krzyzaniak (eloy) Thu, 9 Nov 2006 12:18:25 +0100 lighttpd (1.4.13-4) unstable; urgency=low * fixed config file for logrotote (reload action changed to force-reload) -- Krzysztof Krzyzaniak (eloy) Thu, 26 Oct 2006 11:36:13 +0200 lighttpd (1.4.13-3) unstable; urgency=low * debian/control: libxml2-dev added to Build-Depends (closes: #394882) -- Krzysztof Krzyzaniak (eloy) Tue, 24 Oct 2006 13:31:27 +0200 lighttpd (1.4.13-2) unstable; urgency=medium * Patch from Pierre Habouzit to init.d applied (closes: #380080) * Patch from Adrian Friendli to lighttpd.conf applied (closes: #392890) -- Krzysztof Krzyzaniak (eloy) Mon, 16 Oct 2006 11:14:28 +0200 lighttpd (1.4.13-1) unstable; urgency=low * New upstream release * mod_webdav as separate lighttpd-mod-webdav package * Compiled with --with-webdav-locks, added uuid-dev to Build-Depends -- Krzysztof Krzyzaniak (eloy) Tue, 10 Oct 2006 10:26:54 +0200 lighttpd (1.4.13~r1385-1) unstable; urgency=low * New upstream release -- Krzysztof Krzyzaniak (eloy) Mon, 9 Oct 2006 10:28:32 +0200 lighttpd (1.4.13~r1370-1ubuntu1) edgy; urgency=low * Merge from Debian unstable (Closes: Malone #64900). Remaining changes: - Add an additional dependency on libterm-readline-perl-perl (Malone #43895) -- Lukas Fittl Tue, 10 Oct 2006 13:57:38 +0200 lighttpd (1.4.13~r1370-1) unstable; urgency=low * New upstream release (closes: #390877) (closes: #389911) * Compiled with --with-attr param (closes: #389712) * dropped 01-lua5.1.dpatch, issue fixed by upstream -- Krzysztof Krzyzaniak (eloy) Thu, 5 Oct 2006 10:08:19 +0200 lighttpd (1.4.12-1) unstable; urgency=low * New upstream release * fixes in debian/lighttpd.install (closes: #377802) * mod_cml is deprecated from now on and it will be removed in 1.5.0 mod_magnet provides the same functionality and more with a cleaner syntax and in a more generic form * added separate module for mod_magnet (closes: #389578) * changed dependency from lua-5.0 to lua-5.1 * added patch patches/01-lua5.1.dpatch * added pkg-config to Build-Depends -- Krzysztof Krzyzaniak (eloy) Tue, 12 Sep 2006 19:17:41 +0200 lighttpd (1.4.12~20060907-1ubuntu1) edgy; urgency=low * Merge from debian unstable: -> Keep the additional dependency on libterm-readline-perl-perl. -- Jeremie Corbier Fri, 22 Sep 2006 19:16:08 -0700 lighttpd (1.4.12~20060907-1) unstable; urgency=low * New upstream release * Removed debian/patches/01_use_bin_sh.dpatch - fixed in upstream -- Krzysztof Krzyzaniak (eloy) Thu, 7 Sep 2006 14:50:47 +0200 lighttpd (1.4.12~20060901-1) unstable; urgency=low * New upstream release * Removed debian/patches/02_ssl_fix.dpatch - it's now fixed in upstream -- Krzysztof Krzyzaniak (eloy) Mon, 4 Sep 2006 11:07:42 +0200 lighttpd (1.4.11-8) UNRELEASED; urgency=low * debian/lighttpd.dirs: + usr/lib/cgi-bin added * debian/conf-available/10-cgi.conf + proper configuration for localhost as well (again Bug#345554) * debian/lighttpd.conf: + server.bind commented out as in default configuration (closes: #380267) * debian/patches/02_ssl_fix.dpatch - added fix for ssl connection with POST request (http://trac.lighttpd.net/trac/ticket/607), thanks to RISKO Gergely (closes: #381455) * debian/lighttpd.logrotate - some values changes (now rotate weekly and keep 12 logfiles) -- Krzysztof Krzyzaniak (eloy) Mon, 28 Aug 2006 13:06:25 +0200 lighttpd (1.4.11-7ubuntu1) edgy; urgency=low * Merge from debian unstable: -> Restore B-D on libmemcache-dev. -> Keep the additional dependency on libterm-readline-perl-perl. * debian/patches: -> Add 02_mod_ssl_post_fix.dpatch: fix a stall with POST requests between 8317 and 16381 bytes long when mod_ssl is enabled. -- Jeremie Corbier Thu, 17 Aug 2006 13:07:50 +0200 lighttpd (1.4.11-7) unstable; urgency=low * debian/create-mime.assign.pl - catchup error when /etc/mime.types is not readable (closes: #375347) -- Krzysztof Krzyzaniak (eloy) Tue, 27 Jun 2006 20:19:57 +0200 lighttpd (1.4.11-6) unstable; urgency=low * debian/control: - Recommends: Changed to alternative: php4-cgi | php5-cgi (closes: #368215) * include-conf-enabled.pl script changed according to patch from Tobias Gruetzmacher (closes: #368352) * debian/lighttpd.conf: removed global for local aliases (/images/, /doc/) (closes: #366801) -- Krzysztof Krzyzaniak (eloy) Tue, 23 May 2006 16:48:36 +0200 lighttpd (1.4.11-5) unstable; urgency=low * debian/init.d: - --oknodo added to section "stop" to close finally #35979 - --retry 30 added to section "reload", to prevents problems with logrotating (closes: #366366) * debian/control: Standards-Version: increased to 3.7.2 without additional changes -- Krzysztof Krzyzaniak (eloy) Wed, 10 May 2006 14:26:04 +0200 lighttpd (1.4.11-4) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/init.d: - "exit 1" after failed actions removed (closes: #359792) * debian/conf-available/10-fastcgi.conf updated (closes: #362827) thanks to Joerg Rieger [ Torsten Marek ] * Change my email address to shlomme@debian.org * Remove --background from the start action, since it breaks the error checking of start-stop-daemon. The behaviour described in #355865 is not reproducable any more. * make reload action in initscript more well-behaved -- Torsten Marek Sun, 9 Apr 2006 15:51:51 +0200 lighttpd (1.4.11-3ubuntu3) dapper; urgency=low * debian/control + Added depends on libterm-readline-perl-perl. (Closes: Malone #43895) -- Chuck Short Wed, 10 May 2006 18:11:24 -0400 lighttpd (1.4.11-3ubuntu2) dapper; urgency=low * Rebuild against the new libmysqlclient15off with correct symbols. -- Adam Conrad Thu, 6 Apr 2006 15:10:02 +1000 lighttpd (1.4.11-3ubuntu1) dapper; urgency=low * Sync with Debian: + Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be re-enabled for dapper+1 -- Sebastian Dröge Mon, 27 Mar 2006 13:52:44 +0200 lighttpd (1.4.11-3) unstable; urgency=low * debian/lighttpd.conf - added dir-listing.encoding = "utf-8", suggested by Silvestre Zabala (closes: #359100) * debian/lighttpd.install - fix bug with installing *.conf files -- Krzysztof Krzyzaniak (eloy) Mon, 27 Mar 2006 09:50:55 +0200 lighttpd (1.4.11-2) unstable; urgency=low * Provide debian/conf-available/10-ssl.conf, (closes: #355868) -- Krzysztof Krzyzaniak (eloy) Fri, 24 Mar 2006 13:53:54 +0100 lighttpd (1.4.11-1) unstable; urgency=low * New upstream release (closes: #356496) * init.d script - added --background to "start" (thanks goes to Marcello Nuccio ) (closes: #355865) -- Krzysztof Krzyzaniak (eloy) Fri, 10 Mar 2006 09:51:10 +0100 lighttpd (1.4.10-6) unstable; urgency=low * Patch from on lighty-enable-mod (closes: #355773) -- Krzysztof Krzyzaniak (eloy) Wed, 8 Mar 2006 11:17:07 +0100 lighttpd (1.4.10-5) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/control - libmysqlclient14-dev have to be removede because is not available in debian/sid [ Torsten Marek ] * debian/rules - build with support for LUA, libmemcache and GDBM * debian/lighttpd.install - install mod_evasive into lighttpd package * debian/control - own packages for mod_trigger_b4_dl and mod_cml * debian/control - small fixes * debian/conf-available/10-ssi.conf - comment out link to web documentation -- Torsten Marek Mon, 6 Mar 2006 12:07:29 +0100 lighttpd (1.4.10-4) unstable; urgency=low * bugfix release * Fixed bug with 10-fastcgi.conf, (closes: #353964) -- Krzysztof Krzyzaniak (eloy) Thu, 23 Feb 2006 16:14:42 +0100 lighttpd (1.4.10-3) unstable; urgency=low * lighttpd.conf - changed configuration for /images/ & /doc/ handling -- Krzysztof Krzyzaniak (eloy) Tue, 14 Feb 2006 09:57:15 +0100 lighttpd (1.4.10-2) unstable; urgency=low * debian/control - libmysqlclient14-dev added as alternative (will be easier for backports.org) * lighty-enable-mod script fixed - files with dash were skipped, thanks to Silvester Zabala for patch (closes: #352577) * install doc/lighttpd.conf as example (closes: #344961) -- Krzysztof Krzyzaniak (eloy) Mon, 13 Feb 2006 12:58:54 +0100 lighttpd (1.4.10-1) unstable; urgency=low * New upstream release -- Krzysztof Krzyzaniak (eloy) Wed, 8 Feb 2006 16:02:16 +0100 lighttpd (1.4.9-5) unstable; urgency=low * Properly fixed bug with overwritting index.html (closes: #349676) -- Krzysztof Krzyzaniak (eloy) Mon, 30 Jan 2006 10:17:57 +0100 lighttpd (1.4.9-4) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * Fixed bug with 10-userdir.conf, (closes: #349821) * index.html is not replaced when md5 string desn't match (closes: #349676) -- Krzysztof Krzyzaniak (eloy) Wed, 25 Jan 2006 16:33:34 +0100 lighttpd (1.4.9-3) unstable; urgency=low [ Torsten Marek ] * Added some configuration examples from upstream sample configuration * Implement "reload" init.d action with graceful restart, taken from http://trac.lighttpd.net/trac/ticket/267 (Closes: #346038) * ssi, auth, fastcgi, proxy and simple-vhost are now in separte config files * Put path to plugin documentation into every config snippet * Build against libmysqlclient15 -- Torsten Marek Sat, 21 Jan 2006 15:16:01 +0100 lighttpd (1.4.9-2) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * mod_alias enabled by default - removed conf-avaiable/00-alias.conf * Added handling of http://localhost/doc/ & http://localhost/images/ (closes: #348823) -- Krzysztof Krzyzaniak (eloy) Thu, 19 Jan 2006 12:39:04 +0100 lighttpd (1.4.9-1) unstable; urgency=low * New upstream release * Closing bug from not uploaded release 1.4.8-5, (closes: #347737) -- Krzysztof Krzyzaniak (eloy) Mon, 16 Jan 2006 20:06:39 +0100 lighttpd (1.4.8-5) unstable; urgency=low * create /var/www directory (closes: #347737), default /var/www/index.html added (based on apache2 index.html file). -- Krzysztof Krzyzaniak (eloy) Thu, 12 Jan 2006 16:54:32 +0100 lighttpd (1.4.8-4) unstable; urgency=low * fixed permissions and directories (closes: #347565) -- Krzysztof Krzyzaniak (eloy) Wed, 11 Jan 2006 17:15:12 +0100 lighttpd (1.4.8-3) unstable; urgency=low * New configuration layout (closes: #345554) (closes: #344959), read /etc/lighttpd/conf-available/README - conf-available directory for all templates - conf-enabled directory for enabled modules -- Krzysztof Krzyzaniak (eloy) Mon, 9 Jan 2006 13:49:34 +0100 lighttpd (1.4.8-2) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/control: lsb-base dependency narrowed to (>= 3.0-3) * create-mime.assign.pl set as executable (closes: #344938) -- Krzysztof Krzyzaniak (eloy) Wed, 28 Dec 2005 12:40:55 +0100 lighttpd (1.4.8-1) unstable; urgency=low * New upstream version (closes: #304271) * Does not rely on $SHELL to execute external commands -- Torsten Marek Sat, 26 Nov 2005 11:48:51 +0100 lighttpd (1.4.7-1) unstable; urgency=low * New upstream version, Initial debian version * Better debian/rules file * Split mysql vhost module into separate package * Create separate package for documentation * Create a better init script -- Torsten Marek Sat, 5 Nov 2005 18:56:53 +0100