[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#693890: marked as done (unblock: lighttpd/1.4.31-3)

Your message dated Wed, 21 Nov 2012 20:46:13 +0100
with message-id <20121121194613.GL17465@radis.cristau.org>
and subject line Re: Bug#693890: unblock: lighttpd/1.4.31-3
has caused the Debian Bug report #693890,
regarding unblock: lighttpd/1.4.31-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
693890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lighttpd. The upload fixes a critical Denial of Service
attack against the lighttpd web server by sending malicious HTTP Connection
headers.

Note, the upload also includes pure cosmetic non-invasive fixes to conffiles. I
did only include because I commited this fix to the VCS a while ago and I didn't
want to revert that again. These changes should be in order with your freeze
exception policies and I asked informally whether they are okay already. They do
not change any functionality and fix a documentation bug only.

Given the nature of this upload I'd also appreciate if you could age the upload.

A fix follows below inline

diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog    2012-06-02 00:15:25.000000000 +0200
+++ lighttpd-1.4.31/debian/changelog    2012-11-21 14:53:48.000000000 +0100
@@ -1,3 +1,13 @@
+lighttpd (1.4.31-3) unstable; urgency=high
+
+  * Fix "configuration files refer to wrong path for documentation"
+    by merging a patch supplied by  Denis Laxalde <denis@laxalde.org>
+    (Closes: #676641)
+  * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending
+    faulty Connection headers
+
+ -- Arno Töll <arno@debian.org>  Wed, 21 Nov 2012 14:42:32 +0100
+
 lighttpd (1.4.31-1) unstable; urgency=low
 
   * New upstream release
diff -Nru lighttpd-1.4.31/debian/conf-available/05-auth.conf lighttpd-1.4.31/debian/conf-available/05-auth.conf
--- lighttpd-1.4.31/debian/conf-available/05-auth.conf  2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/05-auth.conf  2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/authentication.txt.gz
+# /usr/share/doc/lighttpd/authentication.txt.gz
 
 server.modules                += ( "mod_auth" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-cgi.conf lighttpd-1.4.31/debian/conf-available/10-cgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-cgi.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-cgi.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/cgi.txt
+# /usr/share/doc/lighttpd/cgi.txt
 
 server.modules += ( "mod_cgi" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
 # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
 
 server.modules += ( "mod_fastcgi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-proxy.conf lighttpd-1.4.31/debian/conf-available/10-proxy.conf
--- lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/proxy.txt
+# /usr/share/doc/lighttpd/proxy.txt
 
 server.modules   += ( "mod_proxy" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf
--- lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/rrdtool.txt
+# /usr/share/doc/lighttpd/rrdtool.txt
 
 server.modules += ( "mod_rrdtool" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf
--- lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf  2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf  2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/simple-vhost.txt
+# /usr/share/doc/lighttpd/simple-vhost.txt
 
 server.modules += ( "mod_simple_vhost" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssi.conf lighttpd-1.4.31/debian/conf-available/10-ssi.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssi.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssi.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssi.txt
+# /usr/share/doc/lighttpd/ssi.txt
 
 server.modules += ( "mod_ssi" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssl.conf lighttpd-1.4.31/debian/conf-available/10-ssl.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssl.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssl.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssl.txt
+# /usr/share/doc/lighttpd/ssl.txt
 
 $SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
diff -Nru lighttpd-1.4.31/debian/conf-available/10-status.conf lighttpd-1.4.31/debian/conf-available/10-status.conf
--- lighttpd-1.4.31/debian/conf-available/10-status.conf        2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-status.conf        2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/status.txt
+# /usr/share/doc/lighttpd/status.txt
 # http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus
 
 server.modules += ( "mod_status" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-userdir.conf lighttpd-1.4.31/debian/conf-available/10-userdir.conf
--- lighttpd-1.4.31/debian/conf-available/10-userdir.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-userdir.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,7 +1,7 @@
 ## The userdir module provides a simple way to link user-based directories into
 ## the global namespace of the webserver.
 ##
-# /usr/share/doc/lighttpd-doc/userdir.txt
+# /usr/share/doc/lighttpd/userdir.txt
 
 server.modules      += ( "mod_userdir" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
--- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,5 +1,5 @@
 # -*- depends: fastcgi -*-
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
 # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
 
 ## Start an FastCGI server for php (needs the php5-cgi package)
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-cml.conf lighttpd-1.4.31/debian/conf-available2/10-cml.conf
--- lighttpd-1.4.31/debian/conf-available2/10-cml.conf  2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-cml.conf  2012-11-21 02:12:50.000000000 +0100
@@ -2,7 +2,7 @@
 ## at one side and building a page from its fragments on the 
 ## other side using LUA.
 ##
-## /usr/share/doc/lighttpd-doc/cml.txt
+## /usr/share/doc/lighttpd/cml.txt
 
 server.modules += ( "mod_cml" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-magnet.conf lighttpd-1.4.31/debian/conf-available2/10-magnet.conf
--- lighttpd-1.4.31/debian/conf-available2/10-magnet.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-magnet.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/magnet.txt.gz
+# /usr/share/doc/lighttpd/magnet.txt.gz
 # http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet
 
 server.modules += ( "mod_magnet" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
--- lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf        2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf        2012-11-21 02:12:50.000000000 +0100
@@ -1,6 +1,6 @@
 ## A module to prevent deep-linking from other sites.
 ## 
-# /usr/share/doc/lighttpd-doc/trigger-b4-dl.html
+# /usr/share/doc/lighttpd/trigger-b4-dl.html
 
 server.modules += ( "mod_trigger_b4_dl" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-webdav.conf lighttpd-1.4.31/debian/conf-available2/10-webdav.conf
--- lighttpd-1.4.31/debian/conf-available2/10-webdav.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-webdav.conf       2012-11-21 02:12:50.000000000 +0100
@@ -3,7 +3,7 @@
 ## the group defined which allows users to collaboratively edit and manage
 ## files on remote web servers.
 ##
-# /usr/share/doc/lighttpd-doc/webdav.txt
+# /usr/share/doc/lighttpd/webdav.txt
 # http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV
 
 server.modules += ( "mod_webdav" )
diff -Nru lighttpd-1.4.31/debian/patches/connection-dos.patch lighttpd-1.4.31/debian/patches/connection-dos.patch
--- lighttpd-1.4.31/debian/patches/connection-dos.patch 1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/connection-dos.patch 2012-11-21 14:44:32.000000000 +0100
@@ -0,0 +1,112 @@
+From: Stefan Bühler <stbuehler@web.de>
+Subject: Fix DoS in header value split (CVE-2012-5533)
+
+Fix DoS in header value split (reported by Jesse Sipprell; CVE-2012-5533)
+
+Any client which is able to connect to lighttpd can cause a DoS by sending
+"strange" Connection headers, for example: "Connection: TE,,Keep-Alive". This
+patch fixes the issue.
+--- a/src/request.c
++++ b/src/request.c
+@@ -209,9 +209,11 @@
+ #endif
+ 
+ static int http_request_split_value(array *vals, buffer *b) {
+-      char *s;
+       size_t i;
+       int state = 0;
++
++      const char *current;
++      const char *token_start = NULL, *token_end = NULL;
+       /*
+        * parse
+        *
+@@ -222,53 +224,52 @@
+ 
+       if (b->used == 0) return 0;
+ 
+-      s = b->ptr;
+-
+-      for (i =0; i < b->used - 1; ) {
+-              char *start = NULL, *end = NULL;
++      current = b->ptr;
++      for (i =  0; i < b->used; ++i, ++current) {
+               data_string *ds;
+ 
+               switch (state) {
+-              case 0: /* ws */
+-
+-                      /* skip ws */
+-                      for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++);
+-
+-
+-                      state = 1;
+-                      break;
+-              case 1: /* value */
+-                      start = s;
+-
+-                      for (; *s != ',' && i < b->used - 1; i++, s++);
+-                      if (start == s) break; /* empty fields are skipped */
+-                      end = s - 1;
+-
+-                      for (; end > start && (*end == ' ' || *end == '\t'); end--);
+-                      if (start == end) break; /* empty fields are skipped */
+-
+-                      if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
+-                              ds = data_string_init();
++              case 0: /* find start of a token */
++                      switch (*current) {
++                      case ' ':
++                      case '\t': /* skip white space */
++                      case ',': /* skip empty token */
++                              break;
++                      case '\0': /* end of string */
++                              return 0;
++                      default:
++                              /* found real data, switch to state 1 to find the end of the token */
++                              token_start = token_end = current;
++                              state = 1;
++                              break;
+                       }
++                      break;
++              case 1: /* find end of token and last non white space character */
++                      switch (*current) {
++                      case ' ':
++                      case '\t':
++                              /* space - don't update token_end */
++                              break;
++                      case ',':
++                      case '\0': /* end of string also marks the end of a token */
++                              if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
++                                      ds = data_string_init();
++                              }
+ 
+-                      buffer_copy_string_len(ds->value, start, end-start+1);
+-                      array_insert_unique(vals, (data_unset *)ds);
++                              buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
++                              array_insert_unique(vals, (data_unset *)ds);
+ 
+-                      if (*s == ',') {
+                               state = 0;
+-                              i++;
+-                              s++;
+-                      } else {
+-                              /* end of string */
+-
+-                              state = 2;
++                              break;
++                      default:
++                              /* no white space, update token_end to include current character */
++                              token_end = current;
++                              break;
+                       }
+                       break;
+-              default:
+-                      i++;
+-                      break;
+               }
+       }
++
+       return 0;
+ }
+ 
diff -Nru lighttpd-1.4.31/debian/patches/series lighttpd-1.4.31/debian/patches/series
--- lighttpd-1.4.31/debian/patches/series       1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/series       2012-11-21 02:12:50.000000000 +0100
@@ -0,0 +1 @@
+connection-dos.patch


unblock lighttpd/1.4.31-3

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
On Wed, Nov 21, 2012 at 15:06:20 +0100, Arno Töll wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package lighttpd. The upload fixes a critical Denial of Service
> attack against the lighttpd web server by sending malicious HTTP Connection
> headers.
> 
Unblocked.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: