-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, the recent OpenSSL security update [1] broke Lighttpd due to a bug in Lighty's OpenSSL handling [2] which caused a regression in stable's package [3]. This bug is fixed upstream as in testing/unstable as well due to the more recent versions shipped there. The OpenSSL update now introduced that problem (for reasons I don't know) into stable as well which should be fixed there, as this (mostly) breaks SSL for Lighttpd. While this is likely no security issue I write to the security team as well, as you probably want to take care, because DSA-2141 caused that problem. The patch is rather simple and straightforward. Some more details are mentioned in the bug report. Please note that I am the author of the patch that is also mentioned in the bug report, however I am NOT the maintainer of lighttpd. Neither sponsored nor full. However I was instructed by Olaf to take care of that issue, although neither of us (I for sure, I assume neither Olaf has) has upload permissions to ANY Debian repository. [1] DSA-2141-1, http://www.debian.org/security/2011/dsa-2141 [2] http://redmine.lighttpd.net/issues/2157 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609124 - -- with kind regards, Arno Töll GnuPG Key-ID: 0x8408D4C4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNK38sAAoJELBdpXvEXpo9uGEP/1IbSboI+GP0BZ5h/bhKVfaD W2GcfMAglmp+CzW8DMiUv2J5zGcj6mYIg708NPnzKxIKVzrp/tsTR6ckky0BRZqG Cex+sCMtcnC3y7Ite5pDLwm8GMar3pk5wQ8CHZG7XXlsIy7GueOikaau2xd9Q9xo 7XMJzjLb5TGDcw5ifZwJLoFcUARahagovPZOQ7/Fyw9lXwD5LwofXCu/oxizAifJ 87L62nMBZP4mLYc3cxOdt9RZDLlWRimaWPXUMXzI/0PQGAz9RWHjGkhf+1q51pTj DPvuk340hl3Eza4xMz9SkepmEIXGvCJbvetbGBpa72nzUzn2Ze0UIqOxiTDk2fPc RAoRT0YFVtf+sv8HQsLmzzJ6VaNcw7jTxtXHk82Hj1uoYlqB0d7sFH8RFAp7SR4j cWCvgcXa0tU5YPFJ/P55cFBrsPE52UU3FXiOOCkNoSsuogRjKzadFACt2Wa0PBzA jaNSVhA86HwFlYgYtKNCeEXeH2n0PpFKYYdZMJgxTMGNw+ty2kPCgLNvU/xaXjTI 8+UXSQC+QZ+My2TRy4THF7iYgpoiqaATOhfgfcZM4UTMMV20mutI2ICenk3GGPQW HETwKQVJGRcxYpKm/YBtUVBBuowKcx8eCp4bylojM5fYfGP2sSs2GSj5jx4MKOcD GQjNeOPzjyvVPCrUuD4S =JOUj -----END PGP SIGNATURE-----
diff -ruN lighttpd-1.4.19/debian/changelog lighttpd-1.4.19-patched/debian/changelog --- lighttpd-1.4.19/debian/changelog 2011-01-07 18:32:18.000000000 +0100 +++ lighttpd-1.4.19-patched/debian/changelog 2011-01-07 18:28:02.000000000 +0100 @@ -1,3 +1,11 @@ +lighttpd (1.4.19-5+lenny2) stable; urgency=low + + [ Arno Toell ] + * Fix bug: Recent openssl upgrade breaks lighttpd + (won't start) (Closes: #609124) + + -- XXXXXX <XXXX@XXXX.YYY> Fri, 07 Jan 2011 17:57:59 +0100 + lighttpd (1.4.19-5+lenny1) stable-security; urgency=high * Non-maintainer upload by the Security Team. diff -ruN lighttpd-1.4.19/debian/patches/series lighttpd-1.4.19-patched/debian/patches/series --- lighttpd-1.4.19/debian/patches/series 2011-01-07 18:32:18.000000000 +0100 +++ lighttpd-1.4.19-patched/debian/patches/series 2011-01-07 18:28:02.000000000 +0100 @@ -6,3 +6,4 @@ lighttpd-1.4.x_request_header_memleak.patch -p0 lighttpd-1.4.x_userdir_lowercase.patch -p0 lighttpd-1.4.x_rewrite_redirect_decode_url.patch -p0 +ssl-retval-fix.patch diff -ruN lighttpd-1.4.19/debian/patches/ssl-retval-fix.patch lighttpd-1.4.19-patched/debian/patches/ssl-retval-fix.patch --- lighttpd-1.4.19/debian/patches/ssl-retval-fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ lighttpd-1.4.19-patched/debian/patches/ssl-retval-fix.patch 2011-01-07 18:28:02.000000000 +0100 @@ -0,0 +1,21 @@ +From: Arno Toell <debian@toell.net> +Subject: Allow multiple bits in option mask + +* src/network.c Fix bits + +Origin: upstream, http://redmine.lighttpd.net/attachments/1095/08-ssl-retval-fix.patch +Bug: http://redmine.lighttpd.net/issues/2157 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609124 + + +--- a/src/network.c ++++ b/src/network.c +@@ -332,7 +332,7 @@ + + if (!s->ssl_use_sslv2) { + /* disable SSLv2 */ +- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { ++ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + ERR_error_string(ERR_get_error(), NULL)); + return -1;
Attachment:
lighttpd-609124.patch.sig
Description: Binary data