Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Maintainer,
Greetings! I am an upstream maintainer of lighttpd.
Please accept this backport of important patches from
lighttpd 1.4.54 (released 2019.05.27)
lighttpd 1.4.55 (released 2020.01.31)
The patches to backport have been hand-selected from the release
available in buster-backports lighttpd 1.4.55-1~bpo10+1 since 2020.03.06
These patches fix important bugs from upstream lighttpd issue tracker
https://redmine.lighttpd.net/issues (direct links below)
including a couple in the Debian Bug Tracker
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954759
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203
>From the debian/changelog:
* backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55
+ mod_evhost, mod_flv_streaming:
[regression] %0 pattern does not match hostnames without the domain part
https://redmine.lighttpd.net/issues/2932
+ mod_magnet: Lighttpd crashes on wrong return type in lua script
https://redmine.lighttpd.net/issues/2938
+ failed assertion on incoming bad request with server.error-handler
https://redmine.lighttpd.net/issues/2941
+ mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures
https://redmine.lighttpd.net/issues/2944
+ fix abort in server.http-parseopts with url-path-2f-decode enabled
https://redmine.lighttpd.net/issues/2945
+ remove repeated slashes in server.http-parseopts with url-path-dotseg-remove, including leading "//"
+ [regression][Bisected] lighttpd uses way more memory with POST since 1.4.52
https://redmine.lighttpd.net/issues/2948 (closes: #954759)
+ OPTIONS should return 2xx status for non-existent resources if Allow is set
https://redmine.lighttpd.net/issues/2939
+ use high precision stat timestamp (on systems where available) in etag
+ mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"
https://redmine.lighttpd.net/issues/2940
+ SUN_LEN in sock_addr.c (1.4.53, 1.4.54)
https://redmine.lighttpd.net/issues/2962
+ Embedded vim command line in conf file with no comment (#) hangs server
https://redmine.lighttpd.net/issues/2980
+ mod_authn_gssapi: 500 if fail to delegate creds
https://redmine.lighttpd.net/issues/2967
+ mod_authn_gssapi: option to store delegated creds
https://redmine.lighttpd.net/issues/2967
+ mod_auth: require digest uri= match original URI
HTTP digest authentication not compatible with some clients
https://redmine.lighttpd.net/issues/2974
+ mod_auth: send Authentication-Info nextnonce when nonce is approaching expiration
+ mod_auth: http_auth_const_time_memeq improvement
+ mod_auth: http_auth_const_time_memeq_pad()
+ mod_auth: use constant time comparison when comparing digests
+ stricter request header parsing: reject WS following header field-name
https://redmine.lighttpd.net/issues/2985
+ stricter request header parsing: reject Transfer-Encoding + Content-Length
https://redmine.lighttpd.net/issues/2985
+ mod_openssl: reject invalid ALPN
+ mod_accesslog: parse multiple cookies
https://redmine.lighttpd.net/issues/2986
+ preserve %2b and %2B in query string
https://redmine.lighttpd.net/issues/2999
+ mod_auth: close connection after bad password
mitigation slows down brute force password attacks
https://redmine.lighttpd.net/boards/3/topics/8885
+ do not accept() > server.max-connections
+ update /var/run -> /run for systemd (closes: #929203)
debdiff attached. I think it may be easier to review the contents of
the files in debian/patches to see that the patches are generally small.
Please advise how best to proceed.
Thank you! Glenn
-- System Information:
Debian Release: 10.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Attachment:
lighttpd-1.4.53-4+deb10u1.diff.xz
Description: application/xz