Bug#894276: lighttpd: mod_openssl.so missing in debian package

To: 894276@bugs.debian.org
Cc: Flynn Marquardt <debian@flynnux.de>
Subject: Bug#894276: lighttpd: mod_openssl.so missing in debian package
From: Ximin Luo <infinity0@debian.org>
Date: Sat, 31 Mar 2018 11:28:00 +0000
Message-id: <[🔎] 790a707f-ebd1-0207-ea22-27870755cb60@debian.org>
Reply-to: Ximin Luo <infinity0@debian.org>, 894276@bugs.debian.org
In-reply-to: <[🔎] 152221958761.20021.5024304536389220299.reportbug@vcr.flynnux.de>
References: <[🔎] 152221958761.20021.5024304536389220299.reportbug@vcr.flynnux.de> <[🔎] 152221958761.20021.5024304536389220299.reportbug@vcr.flynnux.de> <[🔎] 152221958761.20021.5024304536389220299.reportbug@vcr.flynnux.de>

Control: severity -1 critical

Bumping up to critical because this causes lighttpd to not load at all, causing unrelated software to break that relies on a local webserver, or else forces the service to disable SSL thereby introducing a security hole.

To the bug submitter: in the future please feel free to use one of the severities {critical, grave, serious} to prevent bugs like this from reaching Debian testing. We really don't want to "accidentally" release Debian with a lighttpd without SSL support.

X

Flynn Marquardt wrote:
> Package: lighttpd
> Version: 1.4.49-1
> Severity: important
> 
> Dear Maintainer,
> 
> the ssl support in lighttpd is now a separate module.
> The module mod_openssl.so is build, but not packaged.
> 
> This renders lighttpd unusable in real world use.
> 
> Please add /usr/lib/lighttpd/mod_openssl.so to the package.
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.15.13 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages lighttpd depends on:
> ii  libattr1      1:2.4.47-2+b2
> ii  libbz2-1.0    1.0.6-8.1
> ii  libc6         2.27-2
> ii  libfam0       2.7.0-17.2+b1
> ii  libpcre3      2:8.39-9
> ii  libssl1.1     1.1.0g-2
> ii  lsb-base      9.20170808
> ii  mime-support  3.60
> ii  zlib1g        1:1.2.8.dfsg-5
> 
> Versions of packages lighttpd recommends:
> pn  spawn-fcgi  <none>
> 
> Versions of packages lighttpd suggests:
> pn  apache2-utils         <none>
> pn  lighttpd-doc          <none>
> ii  openssl               1.1.0g-2
> ii  php-cgi               1:7.2+60
> ii  php7.0-cgi [php-cgi]  7.0.28-1
> ii  php7.2-cgi [php-cgi]  7.2.3-1
> ii  rrdtool               1.7.0-1
> 
> -- Configuration Files:
> /etc/lighttpd/lighttpd.conf changed [not included]
> /etc/logrotate.d/lighttpd changed [not included]
> 
> -- no debconf information
> 
> 

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

Reply to:

References:
- Bug#894276: lighttpd: mod_openssl.so missing in debian package
  - From: Flynn Marquardt <debian@flynnux.de>

Prev by Date: Processed: Re: lighttpd: mod_openssl.so missing in debian package
Next by Date: Bug#894276: marked as done (lighttpd: mod_openssl.so missing in debian package)
Previous by thread: Processed: Re: lighttpd: mod_openssl.so missing in debian package
Next by thread: Bug#894276: marked as done (lighttpd: mod_openssl.so missing in debian package)
Index(es):
- Date
- Thread