Your message dated Wed, 21 Nov 2012 20:46:13 +0100 with message-id <20121121194613.GL17465@radis.cristau.org> and subject line Re: Bug#693890: unblock: lighttpd/1.4.31-3 has caused the Debian Bug report #693890, regarding unblock: lighttpd/1.4.31-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 693890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693890 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: lighttpd/1.4.31-3
- From: Arno Töll <arno@debian.org>
- Date: Wed, 21 Nov 2012 15:06:20 +0100
- Message-id: <[🔎] 20121121140620.8287.17350.reportbug@localhost>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package lighttpd. The upload fixes a critical Denial of Service attack against the lighttpd web server by sending malicious HTTP Connection headers. Note, the upload also includes pure cosmetic non-invasive fixes to conffiles. I did only include because I commited this fix to the VCS a while ago and I didn't want to revert that again. These changes should be in order with your freeze exception policies and I asked informally whether they are okay already. They do not change any functionality and fix a documentation bug only. Given the nature of this upload I'd also appreciate if you could age the upload. A fix follows below inline diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog --- lighttpd-1.4.31/debian/changelog 2012-06-02 00:15:25.000000000 +0200 +++ lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100 @@ -1,3 +1,13 @@ +lighttpd (1.4.31-3) unstable; urgency=high + + * Fix "configuration files refer to wrong path for documentation" + by merging a patch supplied by Denis Laxalde <denis@laxalde.org> + (Closes: #676641) + * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending + faulty Connection headers + + -- Arno Töll <arno@debian.org> Wed, 21 Nov 2012 14:42:32 +0100 + lighttpd (1.4.31-1) unstable; urgency=low * New upstream release diff -Nru lighttpd-1.4.31/debian/conf-available/05-auth.conf lighttpd-1.4.31/debian/conf-available/05-auth.conf --- lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/authentication.txt.gz +# /usr/share/doc/lighttpd/authentication.txt.gz server.modules += ( "mod_auth" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-cgi.conf lighttpd-1.4.31/debian/conf-available/10-cgi.conf --- lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/cgi.txt +# /usr/share/doc/lighttpd/cgi.txt server.modules += ( "mod_cgi" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf --- lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz +# /usr/share/doc/lighttpd/fastcgi.txt.gz # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi server.modules += ( "mod_fastcgi" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-proxy.conf lighttpd-1.4.31/debian/conf-available/10-proxy.conf --- lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/proxy.txt +# /usr/share/doc/lighttpd/proxy.txt server.modules += ( "mod_proxy" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf --- lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/rrdtool.txt +# /usr/share/doc/lighttpd/rrdtool.txt server.modules += ( "mod_rrdtool" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf --- lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/simple-vhost.txt +# /usr/share/doc/lighttpd/simple-vhost.txt server.modules += ( "mod_simple_vhost" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssi.conf lighttpd-1.4.31/debian/conf-available/10-ssi.conf --- lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/ssi.txt +# /usr/share/doc/lighttpd/ssi.txt server.modules += ( "mod_ssi" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssl.conf lighttpd-1.4.31/debian/conf-available/10-ssl.conf --- lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/ssl.txt +# /usr/share/doc/lighttpd/ssl.txt $SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" diff -Nru lighttpd-1.4.31/debian/conf-available/10-status.conf lighttpd-1.4.31/debian/conf-available/10-status.conf --- lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/status.txt +# /usr/share/doc/lighttpd/status.txt # http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus server.modules += ( "mod_status" ) diff -Nru lighttpd-1.4.31/debian/conf-available/10-userdir.conf lighttpd-1.4.31/debian/conf-available/10-userdir.conf --- lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,7 +1,7 @@ ## The userdir module provides a simple way to link user-based directories into ## the global namespace of the webserver. ## -# /usr/share/doc/lighttpd-doc/userdir.txt +# /usr/share/doc/lighttpd/userdir.txt server.modules += ( "mod_userdir" ) diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf --- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,5 +1,5 @@ # -*- depends: fastcgi -*- -# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz +# /usr/share/doc/lighttpd/fastcgi.txt.gz # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi ## Start an FastCGI server for php (needs the php5-cgi package) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-cml.conf lighttpd-1.4.31/debian/conf-available2/10-cml.conf --- lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-11-21 02:12:50.000000000 +0100 @@ -2,7 +2,7 @@ ## at one side and building a page from its fragments on the ## other side using LUA. ## -## /usr/share/doc/lighttpd-doc/cml.txt +## /usr/share/doc/lighttpd/cml.txt server.modules += ( "mod_cml" ) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-magnet.conf lighttpd-1.4.31/debian/conf-available2/10-magnet.conf --- lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,4 +1,4 @@ -# /usr/share/doc/lighttpd-doc/magnet.txt.gz +# /usr/share/doc/lighttpd/magnet.txt.gz # http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet server.modules += ( "mod_magnet" ) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf --- lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf 2012-11-21 02:12:50.000000000 +0100 @@ -1,6 +1,6 @@ ## A module to prevent deep-linking from other sites. ## -# /usr/share/doc/lighttpd-doc/trigger-b4-dl.html +# /usr/share/doc/lighttpd/trigger-b4-dl.html server.modules += ( "mod_trigger_b4_dl" ) diff -Nru lighttpd-1.4.31/debian/conf-available2/10-webdav.conf lighttpd-1.4.31/debian/conf-available2/10-webdav.conf --- lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-02-27 19:53:39.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-11-21 02:12:50.000000000 +0100 @@ -3,7 +3,7 @@ ## the group defined which allows users to collaboratively edit and manage ## files on remote web servers. ## -# /usr/share/doc/lighttpd-doc/webdav.txt +# /usr/share/doc/lighttpd/webdav.txt # http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV server.modules += ( "mod_webdav" ) diff -Nru lighttpd-1.4.31/debian/patches/connection-dos.patch lighttpd-1.4.31/debian/patches/connection-dos.patch --- lighttpd-1.4.31/debian/patches/connection-dos.patch 1970-01-01 01:00:00.000000000 +0100 +++ lighttpd-1.4.31/debian/patches/connection-dos.patch 2012-11-21 14:44:32.000000000 +0100 @@ -0,0 +1,112 @@ +From: Stefan Bühler <stbuehler@web.de> +Subject: Fix DoS in header value split (CVE-2012-5533) + +Fix DoS in header value split (reported by Jesse Sipprell; CVE-2012-5533) + +Any client which is able to connect to lighttpd can cause a DoS by sending +"strange" Connection headers, for example: "Connection: TE,,Keep-Alive". This +patch fixes the issue. +--- a/src/request.c ++++ b/src/request.c +@@ -209,9 +209,11 @@ + #endif + + static int http_request_split_value(array *vals, buffer *b) { +- char *s; + size_t i; + int state = 0; ++ ++ const char *current; ++ const char *token_start = NULL, *token_end = NULL; + /* + * parse + * +@@ -222,53 +224,52 @@ + + if (b->used == 0) return 0; + +- s = b->ptr; +- +- for (i =0; i < b->used - 1; ) { +- char *start = NULL, *end = NULL; ++ current = b->ptr; ++ for (i = 0; i < b->used; ++i, ++current) { + data_string *ds; + + switch (state) { +- case 0: /* ws */ +- +- /* skip ws */ +- for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++); +- +- +- state = 1; +- break; +- case 1: /* value */ +- start = s; +- +- for (; *s != ',' && i < b->used - 1; i++, s++); +- if (start == s) break; /* empty fields are skipped */ +- end = s - 1; +- +- for (; end > start && (*end == ' ' || *end == '\t'); end--); +- if (start == end) break; /* empty fields are skipped */ +- +- if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { +- ds = data_string_init(); ++ case 0: /* find start of a token */ ++ switch (*current) { ++ case ' ': ++ case '\t': /* skip white space */ ++ case ',': /* skip empty token */ ++ break; ++ case '\0': /* end of string */ ++ return 0; ++ default: ++ /* found real data, switch to state 1 to find the end of the token */ ++ token_start = token_end = current; ++ state = 1; ++ break; + } ++ break; ++ case 1: /* find end of token and last non white space character */ ++ switch (*current) { ++ case ' ': ++ case '\t': ++ /* space - don't update token_end */ ++ break; ++ case ',': ++ case '\0': /* end of string also marks the end of a token */ ++ if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { ++ ds = data_string_init(); ++ } + +- buffer_copy_string_len(ds->value, start, end-start+1); +- array_insert_unique(vals, (data_unset *)ds); ++ buffer_copy_string_len(ds->value, token_start, token_end-token_start+1); ++ array_insert_unique(vals, (data_unset *)ds); + +- if (*s == ',') { + state = 0; +- i++; +- s++; +- } else { +- /* end of string */ +- +- state = 2; ++ break; ++ default: ++ /* no white space, update token_end to include current character */ ++ token_end = current; ++ break; + } + break; +- default: +- i++; +- break; + } + } ++ + return 0; + } + diff -Nru lighttpd-1.4.31/debian/patches/series lighttpd-1.4.31/debian/patches/series --- lighttpd-1.4.31/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ lighttpd-1.4.31/debian/patches/series 2012-11-21 02:12:50.000000000 +0100 @@ -0,0 +1 @@ +connection-dos.patch unblock lighttpd/1.4.31-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
- To: Arno Töll <arno@debian.org>, 693890-done@bugs.debian.org
- Subject: Re: Bug#693890: unblock: lighttpd/1.4.31-3
- From: Julien Cristau <jcristau@debian.org>
- Date: Wed, 21 Nov 2012 20:46:13 +0100
- Message-id: <20121121194613.GL17465@radis.cristau.org>
- In-reply-to: <[🔎] 20121121140620.8287.17350.reportbug@localhost>
- References: <[🔎] 20121121140620.8287.17350.reportbug@localhost>
On Wed, Nov 21, 2012 at 15:06:20 +0100, Arno Töll wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package lighttpd. The upload fixes a critical Denial of Service > attack against the lighttpd web server by sending malicious HTTP Connection > headers. > Unblocked. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---