Your message dated Sat, 16 Mar 2013 11:37:38 +0100 with message-id <20130316103737.GL5840@radis.cristau.org> and subject line Re: Bug#703129: unblock: lighttpd/1.4.31-4 has caused the Debian Bug report #703129, regarding unblock: lighttpd/1.4.31-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 703129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703129 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: lighttpd/1.4.31-4
- From: Arno Töll <arno@debian.org>
- Date: Sat, 16 Mar 2013 00:48:34 +0100
- Message-id: <[🔎] 20130315234834.22319.47707.reportbug@snowball>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock the lighttpd package. I uploaded it as discussed previously, find a debdiff below. unblock lighttpd/1.4.31-4 diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog --- lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100 +++ lighttpd-1.4.31/debian/changelog 2013-03-15 20:28:44.000000000 +0100 @@ -1,3 +1,13 @@ +lighttpd (1.4.31-4) unstable; urgency=high + + * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is + world-writable which may cause security implications if an attacker + manages to control /tmp/php.socket before the web server (re-)starts. + * Switch VCS to git + * Push standards version (no changes) + + -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 02:20:07 +0100 + lighttpd (1.4.31-3) unstable; urgency=high * Fix "configuration files refer to wrong path for documentation" diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf --- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21 02:12:50.000000000 +0100 +++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2013-03-15 20:28:14.000000000 +0100 @@ -6,7 +6,7 @@ fastcgi.server += ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", - "socket" => "/tmp/php.socket", + "socket" => "/var/run/lighttpd/php.socket", "max-procs" => 1, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "4", diff -Nru lighttpd-1.4.31/debian/control lighttpd-1.4.31/debian/control --- lighttpd-1.4.31/debian/control 2012-11-21 14:53:19.000000000 +0100 +++ lighttpd-1.4.31/debian/control 2013-03-15 20:28:14.000000000 +0100 @@ -11,9 +11,9 @@ libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~) -Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/ -Standards-Version: 3.9.3.1 +Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git +Standards-Version: 3.9.4 Package: lighttpd Architecture: any diff -Nru lighttpd-1.4.31/debian/gbp.conf lighttpd-1.4.31/debian/gbp.conf --- lighttpd-1.4.31/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ lighttpd-1.4.31/debian/gbp.conf 2013-03-15 20:28:14.000000000 +0100 @@ -0,0 +1,2 @@ +[DEFAULT] +pristine-tar = True diff -Nru lighttpd-1.4.31/debian/NEWS lighttpd-1.4.31/debian/NEWS --- lighttpd-1.4.31/debian/NEWS 2012-11-21 02:12:50.000000000 +0100 +++ lighttpd-1.4.31/debian/NEWS 2013-03-15 20:28:14.000000000 +0100 @@ -1,3 +1,21 @@ +lighttpd (1.4.31-4) unstable; urgency=high + + The default Debian configuration file for PHP invoked from FastCGI was + vulnerable to local symlink attacks and race conditions when an attacker + manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3) + before the web server started. Possibly the web server could have been + tricked to use a forged PHP. + + The problem lies in the configuration, thus this update will fix the problem + only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf + If you did, dpkg will not overwrite your changes. Please make sure to set + + "socket" => "/var/run/lighttpd/php.socket" + + yourself in that case. + + -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100 + lighttpd (1.4.30-1) unstable; urgency=medium This releases includes an option to force Lighttpd to honor the cipher order -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
- To: Arno Töll <arno@debian.org>, 703129-done@bugs.debian.org
- Subject: Re: Bug#703129: unblock: lighttpd/1.4.31-4
- From: Julien Cristau <jcristau@debian.org>
- Date: Sat, 16 Mar 2013 11:37:38 +0100
- Message-id: <20130316103737.GL5840@radis.cristau.org>
- In-reply-to: <[🔎] 20130315234834.22319.47707.reportbug@snowball>
- References: <[🔎] 20130315234834.22319.47707.reportbug@snowball>
On Sat, Mar 16, 2013 at 00:48:34 +0100, Arno Töll wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock the lighttpd package. I uploaded it as discussed previously, find a > debdiff below. > Already unblocked by Adam last night. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---