Re: [pkg-lighttpd] Bug#609124: Recent openssl upgrade breaks lighttpd (won't start)

To: debian-release@lists.debian.org
Cc: Olaf van der Spek <olafvdspek@gmail.com>, team@security.debian.org, eloy@debian.org, debian-release@lists.debian.org
Subject: Re: [pkg-lighttpd] Bug#609124: Recent openssl upgrade breaks lighttpd (won't start)
From: Arno Töll <debian@toell.net>
Date: Mon, 10 Jan 2011 22:50:37 +0100
Message-id: <[🔎] 4D2B7F2D.90407@toell.net>
In-reply-to: <AANLkTi=yz12t67XPci3YPiW3svdohF86gE4W1URJSkRp@mail.gmail.com>
References: <4D263D91.9020702@toell.net> <4D270175.7020705@toell.net> <AANLkTik+R4N1z5UvWxzU0kwmCXfNR3Lz9Dmiq1gUiJ66@mail.gmail.com> <4D270C9D.3030603@toell.net> <4D275113.8040105@toell.net> <AANLkTin6bv=UE_pP9sZDGNJcEf9TKtmQ7J7STCCdB5Yg@mail.gmail.com> <4D275752.3040304@toell.net> <AANLkTi=rzLMkveLg-uqM7YtwNJnNMEFWZ-8Q+bZESc2y@mail.gmail.com> <4D288F4A.2030803@toell.net> <AANLkTim=9QQsavwc8r3NY9aUf1szhtBiOM26H84QicxG@mail.gmail.com> <4D2B6044.5060300@toell.net> <AANLkTi=yz12t67XPci3YPiW3svdohF86gE4W1URJSkRp@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

the recent OpenSSL security update [1] broke Lighttpd due to a bug in
Lighty's OpenSSL handling [2] which caused a regression in stable's
package [3]. This bug is fixed upstream as in testing/unstable as well
due to the more recent versions shipped there.
The OpenSSL update now introduced that problem (for reasons I don't
know) into stable as well which should be fixed there, as this (mostly)
breaks SSL for Lighttpd.

While this is likely no security issue I write to the security team as
well, as you probably want to take care, because DSA-2141 caused that
problem. The patch is rather simple and straightforward. Some more
details are mentioned in the bug report.

Please note that I am the author of the patch that is also mentioned in
the bug report, however I am NOT the maintainer of lighttpd. Neither
sponsored nor full. However I was instructed by Olaf to take care of
that issue, although neither of us (I for sure, I assume neither Olaf
has) has upload permissions to ANY Debian repository.

[1] DSA-2141-1,  http://www.debian.org/security/2011/dsa-2141
[2] http://redmine.lighttpd.net/issues/2157
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609124

- -- 
with kind regards,
Arno Töll
GnuPG Key-ID: 0x8408D4C4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNK38sAAoJELBdpXvEXpo9uGEP/1IbSboI+GP0BZ5h/bhKVfaD
W2GcfMAglmp+CzW8DMiUv2J5zGcj6mYIg708NPnzKxIKVzrp/tsTR6ckky0BRZqG
Cex+sCMtcnC3y7Ite5pDLwm8GMar3pk5wQ8CHZG7XXlsIy7GueOikaau2xd9Q9xo
7XMJzjLb5TGDcw5ifZwJLoFcUARahagovPZOQ7/Fyw9lXwD5LwofXCu/oxizAifJ
87L62nMBZP4mLYc3cxOdt9RZDLlWRimaWPXUMXzI/0PQGAz9RWHjGkhf+1q51pTj
DPvuk340hl3Eza4xMz9SkepmEIXGvCJbvetbGBpa72nzUzn2Ze0UIqOxiTDk2fPc
RAoRT0YFVtf+sv8HQsLmzzJ6VaNcw7jTxtXHk82Hj1uoYlqB0d7sFH8RFAp7SR4j
cWCvgcXa0tU5YPFJ/P55cFBrsPE52UU3FXiOOCkNoSsuogRjKzadFACt2Wa0PBzA
jaNSVhA86HwFlYgYtKNCeEXeH2n0PpFKYYdZMJgxTMGNw+ty2kPCgLNvU/xaXjTI
8+UXSQC+QZ+My2TRy4THF7iYgpoiqaATOhfgfcZM4UTMMV20mutI2ICenk3GGPQW
HETwKQVJGRcxYpKm/YBtUVBBuowKcx8eCp4bylojM5fYfGP2sSs2GSj5jx4MKOcD
GQjNeOPzjyvVPCrUuD4S
=JOUj
-----END PGP SIGNATURE-----

diff -ruN lighttpd-1.4.19/debian/changelog lighttpd-1.4.19-patched/debian/changelog
--- lighttpd-1.4.19/debian/changelog	2011-01-07 18:32:18.000000000 +0100
+++ lighttpd-1.4.19-patched/debian/changelog	2011-01-07 18:28:02.000000000 +0100
@@ -1,3 +1,11 @@
+lighttpd (1.4.19-5+lenny2) stable; urgency=low
+
+  [ Arno Toell ]
+  * Fix bug: Recent openssl upgrade breaks lighttpd 
+    (won't start) (Closes: #609124)
+
+ -- XXXXXX <XXXX@XXXX.YYY>  Fri, 07 Jan 2011 17:57:59 +0100
+
 lighttpd (1.4.19-5+lenny1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -ruN lighttpd-1.4.19/debian/patches/series lighttpd-1.4.19-patched/debian/patches/series
--- lighttpd-1.4.19/debian/patches/series	2011-01-07 18:32:18.000000000 +0100
+++ lighttpd-1.4.19-patched/debian/patches/series	2011-01-07 18:28:02.000000000 +0100
@@ -6,3 +6,4 @@
 lighttpd-1.4.x_request_header_memleak.patch -p0
 lighttpd-1.4.x_userdir_lowercase.patch -p0
 lighttpd-1.4.x_rewrite_redirect_decode_url.patch -p0
+ssl-retval-fix.patch
diff -ruN lighttpd-1.4.19/debian/patches/ssl-retval-fix.patch lighttpd-1.4.19-patched/debian/patches/ssl-retval-fix.patch
--- lighttpd-1.4.19/debian/patches/ssl-retval-fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.19-patched/debian/patches/ssl-retval-fix.patch	2011-01-07 18:28:02.000000000 +0100
@@ -0,0 +1,21 @@
+From: Arno Toell <debian@toell.net>
+Subject: Allow multiple bits in option mask
+
+* src/network.c Fix bits
+
+Origin: upstream, http://redmine.lighttpd.net/attachments/1095/08-ssl-retval-fix.patch
+Bug: http://redmine.lighttpd.net/issues/2157
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609124
+
+
+--- a/src/network.c
++++ b/src/network.c
+@@ -332,7 +332,7 @@
+ 
+ 		if (!s->ssl_use_sslv2) {
+ 			/* disable SSLv2 */
+-			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
++			if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+ 				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ 						ERR_error_string(ERR_get_error(), NULL));
+ 				return -1;

Attachment: lighttpd-609124.patch.sig
Description: Binary data

Reply to:

Follow-Ups:
- Re: [pkg-lighttpd] Bug#609124: Recent openssl upgrade breaks lighttpd (won't start)
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Release notes entry for web browser security support
Next by Date: Re: [pkg-lighttpd] Bug#609124: Recent openssl upgrade breaks lighttpd (won't start)
Previous by thread: Re: Bug#588089: aptitude: SIGABRT when typing ~ in search box – RC?
Next by thread: Re: [pkg-lighttpd] Bug#609124: Recent openssl upgrade breaks lighttpd (won't start)
Index(es):
- Date
- Thread