[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961843: buster-pu: package lighttpd/1.4.53-4

Hi SRMs and Glenn,

On Sat, May 30, 2020 at 04:44:34AM -0400, Glenn Strauss wrote:
> Greetings!  I am an upstream maintainer of lighttpd.
> 
> Please accept this backport of important patches from
>   lighttpd 1.4.54 (released 2019.05.27)
>   lighttpd 1.4.55 (released 2020.01.31)
> 
> The patches to backport have been hand-selected from the release
> available in buster-backports lighttpd 1.4.55-1~bpo10+1 since 2020.03.06
> 
> These patches fix important bugs from upstream lighttpd issue tracker
>   https://redmine.lighttpd.net/issues  (direct links below)
> including a couple in the Debian Bug Tracker
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954759
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203

I'm an uploader of the lighttpd Debian package and I second Glenn's
request. I intend to perform this upload once there is an SRM ack.

> From the debian/changelog:
>   * backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55
>     + mod_evhost, mod_flv_streaming:
>       [regression] %0 pattern does not match hostnames without the domain part
>       https://redmine.lighttpd.net/issues/2932
>     + mod_magnet: Lighttpd crashes on wrong return type in lua script
>       https://redmine.lighttpd.net/issues/2938
>     + failed assertion on incoming bad request with server.error-handler
>       https://redmine.lighttpd.net/issues/2941
>     + mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures
>       https://redmine.lighttpd.net/issues/2944
>     + fix abort in server.http-parseopts with url-path-2f-decode enabled
>       https://redmine.lighttpd.net/issues/2945
>     + remove repeated slashes in server.http-parseopts with url-path-dotseg-remove, including leading "//"
>     + [regression][Bisected] lighttpd uses way more memory with POST since 1.4.52
>       https://redmine.lighttpd.net/issues/2948 (closes: #954759)
>     + OPTIONS should return 2xx status for non-existent resources if Allow is set
>       https://redmine.lighttpd.net/issues/2939
>     + use high precision stat timestamp (on systems where available) in etag
>     + mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"
>       https://redmine.lighttpd.net/issues/2940
>     + SUN_LEN in sock_addr.c (1.4.53, 1.4.54)
>       https://redmine.lighttpd.net/issues/2962
>     + Embedded vim command line in conf file with no comment (#) hangs server
>       https://redmine.lighttpd.net/issues/2980
>     + mod_authn_gssapi: 500 if fail to delegate creds
>       https://redmine.lighttpd.net/issues/2967
>     + mod_authn_gssapi: option to store delegated creds
>       https://redmine.lighttpd.net/issues/2967
>     + mod_auth: require digest uri= match original URI
>       HTTP digest authentication not compatible with some clients
>       https://redmine.lighttpd.net/issues/2974
>     + mod_auth: send Authentication-Info nextnonce when nonce is approaching expiration
>     + mod_auth: http_auth_const_time_memeq improvement
>     + mod_auth: http_auth_const_time_memeq_pad()
>     + mod_auth: use constant time comparison when comparing digests
>     + stricter request header parsing: reject WS following header field-name
>       https://redmine.lighttpd.net/issues/2985
>     + stricter request header parsing: reject Transfer-Encoding + Content-Length
>       https://redmine.lighttpd.net/issues/2985
>     + mod_openssl: reject invalid ALPN
>     + mod_accesslog: parse multiple cookies
>       https://redmine.lighttpd.net/issues/2986
>     + preserve %2b and %2B in query string
>       https://redmine.lighttpd.net/issues/2999
>     + mod_auth: close connection after bad password
>       mitigation slows down brute force password attacks
>       https://redmine.lighttpd.net/boards/3/topics/8885
>     + do not accept() > server.max-connections
>     + update /var/run -> /run for systemd (closes: #929203)

Contrary to the expected process, we do not fix a Debian bug of severity
important or higher here, because we believe that replicating the
relevant upstream issues in the Debian bts is not useful. This is
already established practice for larger components such as chromium,
firefox, mariadb or postgresql as far as I can see. In any case, all of
the changes performed here are part of bullseye for at least two months.
Let us know whether this works for you.

> debdiff attached.  I think it may be easier to review the contents of
> the files in debian/patches to see that the patches are generally small.

Glenn, this is not a debdiff. What you attached the diff containing the
debian directory. What was asked for is the output of the debdiff
command for two source packages:

debdiff lighttpd_1.4.53-4.dsc lighttpd_1.4.53-4+deb10u1.dsc > lighttpd_1.4.53-4+deb10u1.debdiff

This is very briefly mentioned in the developers reference section
5.5.1. If you think that the text is ambiguous there, I suggest opening
a bug against developers-reference to improve the wording there. A
possible course could be including wording such as "from the devscripts
package".

I'm attaching the correct debdiff now.

Helmut
Reply to: