El 02/08/16 a las 10:11, Sébastien Delafond escribió: > On Aug/01, Santiago R.R. wrote: > > Please, find attached debdiffs to mitigate this in wheezy (that I plan > > to upload) and jessie. I have tested it with a python cgi taken from > > httpoxy's PoCs, and it seems to work well. However, I am not familiar > > with lighttpd, so any review is welcome. > > Hi Santiago, > > thanks for working on this. Could you please change your jessie debdiff > so it uses version 1.4.35-4+deb8u1 instead of 1.4.35-5 ? The rest looks > OK. > Oups! Fixed. > You'll also need to make sure you build with -sa, as lighttpd will be > new on security-master. .changes attached. security-master doesn't handle source-only uploads, isn't it? For wheezy user, lighttpd test packages are available at: deb https://people.debian.org/~santiago/debian santiago-wheezy/ deb-src https://people.debian.org/~santiago/debian santiago-wheezy/ Thanks, Santiago
Format: 1.8 Date: Sun, 31 Jul 2016 20:57:24 +0200 Source: lighttpd Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav Architecture: source amd64 all Version: 1.4.35-4+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org> Changed-By: Santiago R.R. <santiagorr@riseup.net> Description: lighttpd - fast webserver with minimal memory footprint lighttpd-doc - documentation for lighttpd lighttpd-mod-cml - cache meta language module for lighttpd lighttpd-mod-magnet - control the request handling module for lighttpd lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd lighttpd-mod-webdav - WebDAV module for lighttpd Changes: lighttpd (1.4.35-4+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload. * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability. * Add mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch Checksums-Sha1: 71b880ac6738f55e6a0685f00244939ce857de28 1929 lighttpd_1.4.35-4+deb8u1.dsc 90c22d55c9656494d772deb62e253aa35bb5221d 847321 lighttpd_1.4.35.orig.tar.gz bca8d5ff2a27d99624fc5ebe0237d08eba31238b 27380 lighttpd_1.4.35-4+deb8u1.debian.tar.xz ea3a16570c70702f13e6139b8ced1ad7e304e139 245054 lighttpd_1.4.35-4+deb8u1_amd64.deb 3ab0e23dc3bb4443369ca244ea82a509df2b23f8 61394 lighttpd-doc_1.4.35-4+deb8u1_all.deb eecace5ee43943e2f036dab62a4e01a5807898b5 19958 lighttpd-mod-mysql-vhost_1.4.35-4+deb8u1_amd64.deb e90cfd2cd0465315f75f3f2809f7c819a43ba19d 20776 lighttpd-mod-trigger-b4-dl_1.4.35-4+deb8u1_amd64.deb 5b456baf03fcb151e4bfc9647ea041ee527802c0 23088 lighttpd-mod-cml_1.4.35-4+deb8u1_amd64.deb 1d106305a394d9324c74ea454e2a1dcc08bf3e85 24646 lighttpd-mod-magnet_1.4.35-4+deb8u1_amd64.deb be572db784ec222fe1c33da9775e3bdf2fc002c4 30102 lighttpd-mod-webdav_1.4.35-4+deb8u1_amd64.deb Checksums-Sha256: ed42927602f5e59e976f96df34b4375b5d9d05d00551ff5350c06ea7dee53990 1929 lighttpd_1.4.35-4+deb8u1.dsc 62c23de053fd82e1bf64f204cb6c6e44ba3c16c01ff1e09da680d982802ef1cc 847321 lighttpd_1.4.35.orig.tar.gz 809f136773a28f3d3aad000b9bb74d2cb53e92da0d09e4bb246d755451d14db9 27380 lighttpd_1.4.35-4+deb8u1.debian.tar.xz 6f19013234e34977cb05f857421e8e1bc66a17b272eca71c582c0440172f6baf 245054 lighttpd_1.4.35-4+deb8u1_amd64.deb 29fbbf46264be0bb0c5cf32fa1e9d55bf614272fb1de521407be6f06cbe4e059 61394 lighttpd-doc_1.4.35-4+deb8u1_all.deb 1ce44aa301e1974eb0c4b50d409c63106ba8baccfd2b36fda91602ad295b3960 19958 lighttpd-mod-mysql-vhost_1.4.35-4+deb8u1_amd64.deb 45a05c88e23b3a8556068b4c60f0726e9afebecd935639907df542b3856a025a 20776 lighttpd-mod-trigger-b4-dl_1.4.35-4+deb8u1_amd64.deb 1d6541fa3af0ec414939b91827a65dd71f87896caf5d8f52194aac14e6183f0f 23088 lighttpd-mod-cml_1.4.35-4+deb8u1_amd64.deb b739d657c7c997b1203a5b13eddaed34fa2af24fbb27980be372b29ce79c2017 24646 lighttpd-mod-magnet_1.4.35-4+deb8u1_amd64.deb a1b734ccc4098d8062c65aeb03cf57da3f23f1ebc89914ec47173f80c0d42ddd 30102 lighttpd-mod-webdav_1.4.35-4+deb8u1_amd64.deb Files: 733c5fd6fe344a29d06cc48bce7fead0 1929 httpd optional lighttpd_1.4.35-4+deb8u1.dsc 69057685df672218d45809539b874917 847321 httpd optional lighttpd_1.4.35.orig.tar.gz d3e2a03dd80db575902ee96722b11598 27380 httpd optional lighttpd_1.4.35-4+deb8u1.debian.tar.xz ce497ebd3a8f1baa6aa119b36af3d4ea 245054 httpd optional lighttpd_1.4.35-4+deb8u1_amd64.deb 46be0ace9166e17375c15b9860a0964b 61394 doc optional lighttpd-doc_1.4.35-4+deb8u1_all.deb 6044e7f4079507ca13deb3091cf4b61b 19958 httpd optional lighttpd-mod-mysql-vhost_1.4.35-4+deb8u1_amd64.deb ccf6d8a31d235239ad0e8440e46d996a 20776 httpd optional lighttpd-mod-trigger-b4-dl_1.4.35-4+deb8u1_amd64.deb aaa81298e8f9c929ddd470c067bbb81f 23088 httpd optional lighttpd-mod-cml_1.4.35-4+deb8u1_amd64.deb 385be1550836e0157ba40ef82c94927d 24646 httpd optional lighttpd-mod-magnet_1.4.35-4+deb8u1_amd64.deb 8346d52de822696d20506619b577c1ca 30102 httpd optional lighttpd-mod-webdav_1.4.35-4+deb8u1_amd64.deb
Attachment:
signature.asc
Description: PGP signature