Bug#703129: unblock: lighttpd/1.4.31-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock the lighttpd package. I uploaded it as discussed previously, find a
debdiff below.
unblock lighttpd/1.4.31-4
diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100
+++ lighttpd-1.4.31/debian/changelog 2013-03-15 20:28:44.000000000 +0100
@@ -1,3 +1,13 @@
+lighttpd (1.4.31-4) unstable; urgency=high
+
+ * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
+ world-writable which may cause security implications if an attacker
+ manages to control /tmp/php.socket before the web server (re-)starts.
+ * Switch VCS to git
+ * Push standards version (no changes)
+
+ -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 02:20:07 +0100
+
lighttpd (1.4.31-3) unstable; urgency=high
* Fix "configuration files refer to wrong path for documentation"
diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
--- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21 02:12:50.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2013-03-15 20:28:14.000000000 +0100
@@ -6,7 +6,7 @@
fastcgi.server += ( ".php" =>
((
"bin-path" => "/usr/bin/php-cgi",
- "socket" => "/tmp/php.socket",
+ "socket" => "/var/run/lighttpd/php.socket",
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
diff -Nru lighttpd-1.4.31/debian/control lighttpd-1.4.31/debian/control
--- lighttpd-1.4.31/debian/control 2012-11-21 14:53:19.000000000 +0100
+++ lighttpd-1.4.31/debian/control 2013-03-15 20:28:14.000000000 +0100
@@ -11,9 +11,9 @@
libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev,
liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev,
libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~)
-Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/
-Standards-Version: 3.9.3.1
+Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git
+Standards-Version: 3.9.4
Package: lighttpd
Architecture: any
diff -Nru lighttpd-1.4.31/debian/gbp.conf lighttpd-1.4.31/debian/gbp.conf
--- lighttpd-1.4.31/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/gbp.conf 2013-03-15 20:28:14.000000000 +0100
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff -Nru lighttpd-1.4.31/debian/NEWS lighttpd-1.4.31/debian/NEWS
--- lighttpd-1.4.31/debian/NEWS 2012-11-21 02:12:50.000000000 +0100
+++ lighttpd-1.4.31/debian/NEWS 2013-03-15 20:28:14.000000000 +0100
@@ -1,3 +1,21 @@
+lighttpd (1.4.31-4) unstable; urgency=high
+
+ The default Debian configuration file for PHP invoked from FastCGI was
+ vulnerable to local symlink attacks and race conditions when an attacker
+ manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
+ before the web server started. Possibly the web server could have been
+ tricked to use a forged PHP.
+
+ The problem lies in the configuration, thus this update will fix the problem
+ only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
+ If you did, dpkg will not overwrite your changes. Please make sure to set
+
+ "socket" => "/var/run/lighttpd/php.socket"
+
+ yourself in that case.
+
+ -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100
+
lighttpd (1.4.30-1) unstable; urgency=medium
This releases includes an option to force Lighttpd to honor the cipher order
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: