Bug#961843: buster-pu: package lighttpd/1.4.53-4
reattaching debdiff
diff -Nru lighttpd-1.4.53/debian/changelog lighttpd-1.4.53/debian/changelog
--- lighttpd-1.4.53/debian/changelog 2019-04-13 00:00:00.000000000 -0400
+++ lighttpd-1.4.53/debian/changelog 2020-03-21 19:30:00.000000000 -0400
@@ -1,11 +1,67 @@
+lighttpd (1.4.53-4+deb10u1) UNRELEASED; urgency=high
+
+ * QA upload.
+ * backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55
+ * mod_evhost, mod_flv_streaming:
+ [regression] %0 pattern does not match hostnames without the domain part
+ https://redmine.lighttpd.net/issues/2932
+ * mod_magnet: Lighttpd crashes on wrong return type in lua script
+ https://redmine.lighttpd.net/issues/2938
+ * failed assertion on incoming bad request with server.error-handler
+ https://redmine.lighttpd.net/issues/2941
+ * mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures
+ https://redmine.lighttpd.net/issues/2944
+ * fix abort in server.http-parseopts with url-path-2f-decode enabled
+ https://redmine.lighttpd.net/issues/2945
+ * remove repeated slashes in server.http-parseopts with url-path-dotseg-remove, including leading "//"
+ * [regression][Bisected] lighttpd uses way more memory with POST since 1.4.52
+ https://redmine.lighttpd.net/issues/2948
+ * OPTIONS should return 2xx status for non-existent resources if Allow is set
+ https://redmine.lighttpd.net/issues/2939
+ * use high precision stat timestamp (on systems where available) in etag
+ * mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"
+ https://redmine.lighttpd.net/issues/2940
+ * SUN_LEN in sock_addr.c (1.4.53, 1.4.54)
+ https://redmine.lighttpd.net/issues/2962
+ * Embedded vim command line in conf file with no comment (#) hangs server
+ https://redmine.lighttpd.net/issues/2980
+ * mod_authn_gssapi: 500 if fail to delegate creds
+ https://redmine.lighttpd.net/issues/2967
+ * mod_authn_gssapi: option to store delegated creds
+ https://redmine.lighttpd.net/issues/2967
+ * mod_auth: require digest uri= match original URI
+ HTTP digest authentication not compatible with some clients
+ https://redmine.lighttpd.net/issues/2974
+ * mod_auth: send Authentication-Info nextnonce when nonce is approaching expiration
+ * mod_auth: http_auth_const_time_memeq improvement
+ * mod_auth: http_auth_const_time_memeq_pad()
+ * mod_auth: use constant time comparison when comparing digests
+ * stricter request header parsing: reject WS following header field-name
+ https://redmine.lighttpd.net/issues/2985
+ * stricter request header parsing: reject Transfer-Encoding + Content-Length
+ https://redmine.lighttpd.net/issues/2985
+ * mod_openssl: reject invalid ALPN
+ * mod_accesslog: parse multiple cookies
+ https://redmine.lighttpd.net/issues/2986
+ * preserve %2b and %2B in query string
+ https://redmine.lighttpd.net/issues/2999
+ * mod_auth: close connection after bad password
+ mitigation slows down brute force password attacks
+ https://redmine.lighttpd.net/boards/3/topics/8885
+ * do not accept() > server.max-connections
+ * update /var/run -> /run for systemd (closes: #929203)
+
+ -- Glenn Strauss <gstrauss@gluelogic.com> Sat, 21 Mar 2020 18:30:00 -0500
+
lighttpd (1.4.53-4) unstable; urgency=high
+ * QA upload.
* fix mixed use of srv->split_vals array (regression)
* mod_magnet:fix invalid script return-type crash
* fix assertion with server.error-handler
* mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures
* fix abort in server.http-parseopts with url-path-2f-decode enabled
- CVE-2019-11072 (closes #926885)
+ CVE-2019-11072 (closes: #926885)
-- Glenn Strauss <gstrauss@gluelogic.com> Sat, 13 Apr 2019 00:00:00 -0400
diff -Nru lighttpd-1.4.53/debian/.gitlab-ci.yml lighttpd-1.4.53/debian/.gitlab-ci.yml
--- lighttpd-1.4.53/debian/.gitlab-ci.yml 2019-04-13 00:00:00.000000000 -0400
+++ lighttpd-1.4.53/debian/.gitlab-ci.yml 2020-03-21 19:30:00.000000000 -0400
@@ -1,13 +1,7 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
- extends: .build-unstable
-
-lintian:
- extends: .test-lintian
-
-autopkgtest:
- extends: .test-autopkgtest
-
-piuparts:
- extends: .test-piuparts
+variables:
+ # Disable reprotest until salsa-ci-team/pipeline#26 is resolved.
+ SALSA_CI_DISABLE_REPROTEST: 1
diff -Nru lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch
--- lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,67 @@
+From 15cdc313b500e2473de7bafdcf1c703dbfd11e56 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= <glen@pld-linux.org>
+Date: Thu, 10 Oct 2019 22:26:44 +0300
+Subject: [PATCH] [config] update /var/run -> /run for systemd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This gets rid of the warning:
+> May 19 10:56:32 buster systemd[1]: /lib/systemd/system/lighttpd.service:6:
+> PIDFile= references path below legacy directory /var/run/,
+> updating /var/run/lighttpd.pid → /run/lighttpd.pid;
+> please update the unit file accordingly.
+
+refs:
+- https://github.com/systemd/systemd/commit/a2d1fb882c4308bc10362d971f333c5031d60069
+- https://github.com/systemd/systemd/pull/9019
+- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203
+- Filesystem Hierarchy Standard 3.0 (FHS 3.0)
+
+github: closes #100
+---
+ doc/systemd/lighttpd.service | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/systemd/lighttpd.service b/doc/systemd/lighttpd.service
+index b59bdcd7..6fa622b7 100644
+--- a/doc/systemd/lighttpd.service
++++ b/doc/systemd/lighttpd.service
+@@ -4,7 +4,7 @@ After=network-online.target
+
+ [Service]
+ Type=simple
+-PIDFile=/var/run/lighttpd.pid
++PIDFile=/run/lighttpd.pid
+ ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
+ ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
+ ExecReload=/bin/kill -USR1 $MAINPID
+diff --git a/doc/config/lighttpd.conf b/doc/config/lighttpd.conf
+index 7673535..0485de9 100644
+--- a/doc/config/lighttpd.conf
++++ b/doc/config/lighttpd.conf
+@@ -15,7 +15,7 @@
+ ##
+ var.log_root = "/var/log/lighttpd"
+ var.server_root = "/srv/www"
+-var.state_dir = "/var/run"
++var.state_dir = "/run"
+ var.home_dir = "/var/lib/lighttpd"
+ var.conf_dir = "/etc/lighttpd"
+
+diff --git a/doc/lighttpd.8 b/doc/lighttpd.8
+index 1ab6520..a2c98b8 100644
+--- a/doc/lighttpd.8
++++ b/doc/lighttpd.8
+@@ -59,7 +59,7 @@ Show a brief help message and exit.
+ /etc/lighttpd/lighttpd.conf
+ The standard location for the configuration file.
+ .TP 8
+-/var/run/lighttpd.pid
++/run/lighttpd.pid
+ The standard location for the PID of the running \fBlighttpd\fP process.
+ .
+ .SH SEE ALSO
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch
--- lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,36 @@
+From 95aa2c178d6d61e1e42c99018d79993c66bc46e6 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Mon, 25 Mar 2019 22:37:31 -0400
+Subject: [PATCH] [core] 200 for OPTIONS /non-existent/path HTTP/1.1 (fixes
+ #2939)
+
+200 for OPTIONS /non-existent/path HTTP/1.1 when a module,
+such as mod_webdav, has set Allow response header
+
+x-ref:
+ "OPTIONS should return 2xx status for non-existent resources if Allow is set"
+ https://redmine.lighttpd.net/issues/2939
+---
+ src/response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/response.c b/src/response.c
+index c4a541fb..173e1859 100644
+--- a/src/response.c
++++ b/src/response.c
+@@ -138,6 +138,12 @@ static handler_t http_response_physical_path_check(server *srv, connection *con)
+ case ENAMETOOLONG:
+ /* file name to be read was too long. return 404 */
+ case ENOENT:
++ if (con->request.http_method == HTTP_METHOD_OPTIONS
++ && NULL != http_header_response_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Allow"))) {
++ con->http_status = 200;
++ return HANDLER_FINISHED;
++ }
++
+ con->http_status = 404;
+
+ if (con->conf.log_request_handling) {
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch
--- lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,35 @@
+From 186ce8a2b105cce1c8b5133f40b0b429e5547105 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 25 Jun 2019 00:33:59 -0400
+Subject: [PATCH] [core] allocate unix socket paths with SUN_LEN()+1 (fixes
+ #2962)
+
+(thx lighthouse2)
+
+x-ref:
+ "SUN_LEN in sock_addr.c (1.4.53, 1.4.54)"
+ https://redmine.lighttpd.net/issues/2962
+---
+ src/sock_addr.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/sock_addr.c b/src/sock_addr.c
+index cc15086c..7be57ce1 100644
+--- a/src/sock_addr.c
++++ b/src/sock_addr.c
+@@ -544,10 +544,9 @@ int sock_addr_from_str_hints(server *srv, sock_addr *saddr, socklen_t *len, cons
+ }
+ memcpy(saddr->un.sun_path, str, hostlen);
+ #if defined(SUN_LEN)
+- *len = SUN_LEN(&saddr->un);
++ *len = SUN_LEN(&saddr->un)+1;
+ #else
+- /* stevens says: */
+- *len = hostlen + sizeof(saddr->un.sun_family);
++ *len = offsetof(struct sockaddr_un, sun_path) + hostlen;
+ #endif
+ }
+ return 1;
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch
--- lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-do-not-accept-server.max-connections.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,41 @@
+From fb74bb75148142d622b665275b1bb7751abf1a5a Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 19 Jan 2020 00:02:22 -0500
+Subject: [PATCH] [core] do not accept() > server.max-connections
+
+---
+ src/network.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/network.c b/src/network.c
+index d563b4c8..dc55169a 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -46,7 +46,7 @@ network_accept_tcp_nagle_disable (const int fd)
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
+ server_socket *srv_socket = (server_socket *)context;
+ connection *con;
+- int loops = 0;
++ int loops;
+
+ UNUSED(context);
+
+@@ -61,9 +61,13 @@ static handler_t network_server_handle_fdevent(server *srv, void *context, int r
+ /* accept()s at most 100 connections directly
+ *
+ * we jump out after 100 to give the waiting connections a chance */
+- for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) {
++ if (srv->conns->used >= srv->max_conns) return HANDLER_GO_ON;
++ loops = (int)(srv->max_conns - srv->conns->used + 1);
++ if (loops > 100) loops = 101;
++
++ while (--loops && NULL != (con = connection_accept(srv, srv_socket)))
+ connection_state_machine(srv, con);
+- }
++
+ return HANDLER_GO_ON;
+ }
+
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch
--- lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,188 @@
+From 599b4f05c8ccebd0c06074972824b930afc9c832 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Thu, 18 Apr 2019 17:02:42 -0400
+Subject: [PATCH] [core] fix 1.4.52 regression in mem use with POST (fixes
+ #2948)
+
+(thx rgenoud)
+
+x-ref:
+ "[regression][Bisected] lighttpd uses way more memory with POST since 1.4.52"
+ https://redmine.lighttpd.net/issues/2948
+---
+ src/chunk.c | 80 ++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 43 insertions(+), 37 deletions(-)
+
+diff --git a/src/chunk.c b/src/chunk.c
+index e209707c..73c9fd68 100644
+--- a/src/chunk.c
++++ b/src/chunk.c
+@@ -26,7 +26,7 @@
+ #define MAX_TEMPFILE_SIZE (128 * 1024 * 1024)
+
+ static size_t chunk_buf_sz = 4096;
+-static chunk *chunks;
++static chunk *chunks, *chunks_oversized;
+ static chunk *chunk_buffers;
+ static array *chunkqueue_default_tempdirs = NULL;
+ static unsigned int chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
+@@ -141,23 +141,42 @@ void chunk_buffer_release(buffer *b) {
+ }
+ }
+
+-static chunk * chunk_acquire(void) {
+- if (chunks) {
+- chunk *c = chunks;
+- chunks = c->next;
+- return c;
++static chunk * chunk_acquire(size_t sz) {
++ if (sz <= chunk_buf_sz) {
++ if (chunks) {
++ chunk *c = chunks;
++ chunks = c->next;
++ return c;
++ }
++ sz = chunk_buf_sz;
+ }
+ else {
+- return chunk_init(chunk_buf_sz);
++ sz = (sz + 8191) & ~8191uL;
++ /* future: might have buckets of certain sizes, up to socket buf sizes*/
++ if (chunks_oversized && chunks_oversized->mem->size >= sz) {
++ chunk *c = chunks_oversized;
++ chunks_oversized = c->next;
++ return c;
++ }
+ }
++
++ return chunk_init(sz);
+ }
+
+ static void chunk_release(chunk *c) {
+- if (c->mem->size >= chunk_buf_sz) {
++ const size_t sz = c->mem->size;
++ if (sz == chunk_buf_sz) {
+ chunk_reset(c);
+ c->next = chunks;
+ chunks = c;
+ }
++ else if (sz > chunk_buf_sz) {
++ chunk_reset(c);
++ chunk **co = &chunks_oversized;
++ while (*co && sz < (*co)->mem->size) co = &(*co)->next;
++ c->next = *co;
++ *co = c;
++ }
+ else {
+ chunk_free(c);
+ }
+@@ -170,6 +189,11 @@ void chunkqueue_chunk_pool_clear(void)
+ chunk_free(c);
+ }
+ chunks = NULL;
++ for (chunk *next, *c = chunks_oversized; c; c = next) {
++ next = c->next;
++ chunk_free(c);
++ }
++ chunks_oversized = NULL;
+ }
+
+ void chunkqueue_chunk_pool_free(void)
+@@ -235,20 +259,20 @@ static void chunkqueue_append_chunk(chunkqueue *cq, chunk *c) {
+ }
+ }
+
+-static chunk * chunkqueue_prepend_mem_chunk(chunkqueue *cq) {
+- chunk *c = chunk_acquire();
++static chunk * chunkqueue_prepend_mem_chunk(chunkqueue *cq, size_t sz) {
++ chunk *c = chunk_acquire(sz);
+ chunkqueue_prepend_chunk(cq, c);
+ return c;
+ }
+
+-static chunk * chunkqueue_append_mem_chunk(chunkqueue *cq) {
+- chunk *c = chunk_acquire();
++static chunk * chunkqueue_append_mem_chunk(chunkqueue *cq, size_t sz) {
++ chunk *c = chunk_acquire(sz);
+ chunkqueue_append_chunk(cq, c);
+ return c;
+ }
+
+ static chunk * chunkqueue_append_file_chunk(chunkqueue *cq, buffer *fn, off_t offset, off_t len) {
+- chunk *c = chunk_acquire();
++ chunk *c = chunk_acquire(buffer_string_length(fn)+1);
+ chunkqueue_append_chunk(cq, c);
+ c->type = FILE_CHUNK;
+ c->file.start = offset;
+@@ -308,7 +332,7 @@ void chunkqueue_append_buffer(chunkqueue *cq, buffer *mem) {
+ size_t len = buffer_string_length(mem);
+ if (len < 256 && chunkqueue_append_mem_extend_chunk(cq, mem->ptr, len)) return;
+
+- c = chunkqueue_append_mem_chunk(cq);
++ c = chunkqueue_append_mem_chunk(cq, chunk_buf_sz);
+ cq->bytes_in += len;
+ buffer_move(c->mem, mem);
+ }
+@@ -319,7 +343,7 @@ void chunkqueue_append_mem(chunkqueue *cq, const char * mem, size_t len) {
+ if (len < chunk_buf_sz && chunkqueue_append_mem_extend_chunk(cq, mem, len))
+ return;
+
+- c = chunkqueue_append_mem_chunk(cq);
++ c = chunkqueue_append_mem_chunk(cq, len+1);
+ cq->bytes_in += len;
+ buffer_copy_string_len(c->mem, mem, len);
+ }
+@@ -354,28 +378,14 @@ void chunkqueue_append_chunkqueue(chunkqueue *cq, chunkqueue *src) {
+ }
+
+
+-__attribute_cold__
+-static void chunkqueue_buffer_open_resize(chunk *c, size_t sz) {
+- chunk * const n = chunk_init((sz + 4095) & ~4095uL);
+- buffer * const b = c->mem;
+- c->mem = n->mem;
+- n->mem = b;
+- chunk_release(n);
+-}
+-
+-
+ buffer * chunkqueue_prepend_buffer_open_sz(chunkqueue *cq, size_t sz) {
+- chunk * const c = chunkqueue_prepend_mem_chunk(cq);
+- if (buffer_string_space(c->mem) < sz) {
+- chunkqueue_buffer_open_resize(c, sz);
+- }
++ chunk * const c = chunkqueue_prepend_mem_chunk(cq, sz);
+ return c->mem;
+ }
+
+
+ buffer * chunkqueue_prepend_buffer_open(chunkqueue *cq) {
+- chunk *c = chunkqueue_prepend_mem_chunk(cq);
+- return c->mem;
++ return chunkqueue_prepend_buffer_open_sz(cq, chunk_buf_sz);
+ }
+
+
+@@ -385,17 +395,13 @@ void chunkqueue_prepend_buffer_commit(chunkqueue *cq) {
+
+
+ buffer * chunkqueue_append_buffer_open_sz(chunkqueue *cq, size_t sz) {
+- chunk * const c = chunkqueue_append_mem_chunk(cq);
+- if (buffer_string_space(c->mem) < sz) {
+- chunkqueue_buffer_open_resize(c, sz);
+- }
++ chunk * const c = chunkqueue_append_mem_chunk(cq, sz);
+ return c->mem;
+ }
+
+
+ buffer * chunkqueue_append_buffer_open(chunkqueue *cq) {
+- chunk *c = chunkqueue_append_mem_chunk(cq);
+- return c->mem;
++ return chunkqueue_append_buffer_open_sz(cq, chunk_buf_sz);
+ }
+
+
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch
--- lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-issue-config-error-for-invalid-fixes-2980.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,33 @@
+From 06a395a93ee22df13cb6fe2a5a06cdac3ed1946c Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Thu, 5 Sep 2019 21:54:10 -0400
+Subject: [PATCH] [core] issue config error for invalid ':' (fixes #2980)
+
+x-ref:
+ "Embedded vim command line in conf file with no comment (#) hangs server"
+ https://redmine.lighttpd.net/issues/2980
+---
+ src/configfile.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/configfile.c b/src/configfile.c
+index b870b593..a7ac53bc 100644
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -1130,6 +1130,13 @@ static int config_tokenizer(server *srv, tokenizer_t *t, int *token_id, buffer *
+ t->offset += 2;
+ tid = TK_FORCE_ASSIGN;
+ buffer_copy_string_len(token, CONST_STR_LEN(":="));
++ } else {
++ /* ERROR */
++ log_error_write(srv, __FILE__, __LINE__, "sbsdsds",
++ "source:", t->source,
++ "line:", t->line, "pos:", t->line_pos,
++ "unexpected character ':'");
++ return -1;
+ }
+ break;
+
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch
--- lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-preserve-2b-and-2B-in-query-string-fixes-2999.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,60 @@
+From 9cdfb4846653253f2c11dd74964eb4a9bc006a2c Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 1 Jan 2020 15:28:43 -0500
+Subject: [PATCH] [core] preserve %2b and %2B in query string (fixes #2999)
+
+normalize %2b or %2B in query string to %2B (uppercase hex),
+and not to '+'
+
+(thx int-e)
+
+x-ref:
+ "url-normalize-required expands %2B in query strings"
+ https://redmine.lighttpd.net/issues/2999
+---
+ src/burl.c | 8 ++++++--
+ src/t/test_burl.c | 2 ++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/burl.c b/src/burl.c
+index b62a5cd5..ca8c8bd6 100644
+--- a/src/burl.c
++++ b/src/burl.c
+@@ -139,7 +139,9 @@ static int burl_normalize_basic_required_fix (buffer *b, buffer *t, int i, int q
+ else if (s[i]=='%' && li_cton(s[i+1], n1) && li_cton(s[i+2], n2)) {
+ const unsigned int x = (n1 << 4) | n2;
+ if (!encoded_chars_http_uri_reqd[x]
+- && (qs < 0 ? (x!='/'&&x!='?') : (x!='&'&&x!='='&&x!=';'))) {
++ && (qs < 0
++ ? (x != '/' && x != '?')
++ : (x != '&' && x != '=' && x != ';' && x != '+'))) {
+ p[j] = x;
+ }
+ else {
+@@ -177,7 +179,9 @@ static int burl_normalize_basic_required (buffer *b, buffer *t)
+ }
+ else if (s[i]=='%' && li_cton(s[i+1], n1) && li_cton(s[i+2], n2)
+ && (encoded_chars_http_uri_reqd[(x = (n1 << 4) | n2)]
+- ||(qs < 0 ? (x=='/'||x=='?') : (x=='&'||x=='='||x==';')))){
++ || (qs < 0
++ ? (x == '/' || x == '?')
++ : (x == '&' || x == '=' || x == ';' || x == '+')))) {
+ if (li_utf8_invalid_byte(x)) qs = -2;
+ if (s[i+1] >= 'a') b->ptr[i+1] &= 0xdf; /* uppercase hex */
+ if (s[i+2] >= 'a') b->ptr[i+2] &= 0xdf; /* uppercase hex */
+diff --git a/src/t/test_burl.c b/src/t/test_burl.c
+index e9cc80de..c2bbe69e 100644
+--- a/src/t/test_burl.c
++++ b/src/t/test_burl.c
+@@ -78,6 +78,8 @@ static void test_burl_normalize (void) {
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2B"), CONST_STR_LEN("/+"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%3a"), CONST_STR_LEN("/:"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%3A"), CONST_STR_LEN("/:"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2b?x=%2b"), CONST_STR_LEN("/+?x=%2B"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2B?x=%2B"), CONST_STR_LEN("/+?x=%2B"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/~test%20ä_"), CONST_STR_LEN("/~test%20%C3%A4_"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/\375"), "", (size_t)-2);
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/\376"), "", (size_t)-2);
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch
--- lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-reject-Transfer-Encoding-Content-Length-2985.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,70 @@
+From 66624b375b6f1ceae446ba09d55f123683506337 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 6 Oct 2019 15:14:05 -0400
+Subject: [PATCH] [core] reject Transfer-Encoding + Content-Length (#2985)
+
+reject requests with both Transfer-Encoding and Content-Length
+as recommended in RFC 7230 Section 3.3.3.
+
+strict header parsing is enabled by default in lighttpd. However,
+if explicitly disabled in lighttpd.conf, lighttpd will continue to
+accept Transfer-Encoding and Content-Length in the same request,
+and will ignore (and remove) Content-Length before passing to backend.
+ UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
+ This is NOT RECOMMENDED since doing so disables other protections
+ provided by lighttpd strict http header parsing.
+
+RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
+ 3.3.3. Message Body Length
+ [...]
+ If a message is received with both a Transfer-Encoding and a
+ Content-Length header field, the Transfer-Encoding overrides the
+ Content-Length. Such a message might indicate an attempt to
+ perform request smuggling (Section 9.5) or response splitting
+ (Section 9.4) and ought to be handled as an error. A sender MUST
+ remove the received Content-Length field prior to forwarding such
+ a message downstream.
+
+x-ref:
+ stricter request header parsing
+ https://redmine.lighttpd.net/issues/2985
+---
+ src/request.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/request.c b/src/request.c
+index 64b2ba45..7ce30869 100644
+--- a/src/request.c
++++ b/src/request.c
+@@ -887,9 +887,26 @@ int http_request_parse(server *srv, connection *con, buffer *hdrs) {
+ * which must not be blindly forwarded to backends */
+ http_header_request_unset(con, HTTP_HEADER_TRANSFER_ENCODING, CONST_STR_LEN("Transfer-Encoding"));
+
+- /*(note: ignore whether or not Content-Length was provided)*/
+ if (con->request.htags & HTTP_HEADER_CONTENT_LENGTH) {
+- http_header_request_unset(con, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length"));
++ /* RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
++ * 3.3.3. Message Body Length
++ * [...]
++ * If a message is received with both a Transfer-Encoding and a
++ * Content-Length header field, the Transfer-Encoding overrides the
++ * Content-Length. Such a message might indicate an attempt to
++ * perform request smuggling (Section 9.5) or response splitting
++ * (Section 9.4) and ought to be handled as an error. A sender MUST
++ * remove the received Content-Length field prior to forwarding such
++ * a message downstream.
++ */
++ if (http_header_strict) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "invalid Transfer-Encoding + Content-Length -> 400");
++ goto failure;
++ }
++ else {
++ /* ignore Content-Length */
++ http_header_request_unset(con, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length"));
++ }
+ }
+
+ state.con_length_set = 1;
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch
--- lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-reject-WS-following-header-field-name-fixes-298.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,105 @@
+From 61f85d14ee4444755e0771495b97af11162448dd Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sat, 28 Sep 2019 19:21:56 -0400
+Subject: [PATCH] [core] reject WS following header field-name (fixes #2985)
+
+reject whitespace following request header field-name and before colon
+Such whitespace is forbidden in RFC 7230 Section 3.2.4.
+
+strict header parsing is enabled by default in lighttpd. However,
+if explicitly disabled in lighttpd.conf, lighttpd will continue to
+accept (and re-format) such field-names before passing to any backend.
+ UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
+ This is NOT RECOMMENDED since doing so disables other protections
+ provided by lighttpd strict http header parsing.
+
+(thx fedormixalich)
+
+x-ref:
+ stricter request header parsing
+ https://redmine.lighttpd.net/issues/2985
+---
+ src/request.c | 13 +++++++++++++
+ src/t/test_request.c | 5 +----
+ tests/request.t | 12 +-----------
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/src/request.c b/src/request.c
+index b72bb974..64b2ba45 100644
+--- a/src/request.c
++++ b/src/request.c
+@@ -723,6 +723,21 @@ int http_request_parse(server *srv, connection *con, buffer *hdrs) {
+ switch(*cur) {
+ case ' ':
+ case '\t':
++ /* RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
++ * 3.2.4. Field Parsing
++ * [...]
++ * No whitespace is allowed between the header field-name and colon. In
++ * the past, differences in the handling of such whitespace have led to
++ * security vulnerabilities in request routing and response handling. A
++ * server MUST reject any received request message that contains
++ * whitespace between a header field-name and colon with a response code
++ * of 400 (Bad Request). A proxy MUST remove any such whitespace from a
++ * response message before forwarding the message downstream.
++ */
++ if (http_header_strict) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "invalid whitespace between field-name and colon -> 400");
++ goto failure;
++ }
+ /* skip every thing up to the : */
+ do { ++cur; } while (*cur == ' ' || *cur == '\t');
+ if (*cur != ':') {
+diff --git a/src/t/test_request.c b/src/t/test_request.c
+index e001fb6a..1387565e 100644
+--- a/src/t/test_request.c
++++ b/src/t/test_request.c
+@@ -310,14 +310,11 @@ static void test_request_http_request_parse(server *srv, connection *con)
+ assert(buffer_is_equal_string(con->request.uri,
+ CONST_STR_LEN("/")));
+
+- run_http_request_parse(srv, con, __LINE__, 0,
++ run_http_request_parse(srv, con, __LINE__, 400,
+ "whitespace after key",
+ CONST_STR_LEN("GET / HTTP/1.0\r\n"
+ "ABC : foo\r\n"
+ "\r\n"));
+- ds = (data_string *)
+- array_get_element_klen(con->request.headers, CONST_STR_LEN("ABC"));
+- assert(ds && buffer_is_equal_string(ds->value, CONST_STR_LEN("foo")));
+
+ run_http_request_parse(srv, con, __LINE__, 400,
+ "whitespace within key",
+diff --git a/tests/request.t b/tests/request.t
+index 96ef077b..aa1cace0 100755
+--- a/tests/request.t
++++ b/tests/request.t
+@@ -8,7 +8,7 @@ BEGIN {
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 52;
++use Test::More tests => 51;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -503,16 +503,6 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
+ ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo');
+
+
+-print "\nConnection header\n";
+-$t->{REQUEST} = ( <<EOF
+-GET /12345.txt HTTP/1.1
+-Connection : close
+-Host: 123.example.org
+-EOF
+- );
+-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.1', 'HTTP-Status' => 200, 'HTTP-Content' => '12345'."\n", 'Content-Type' => 'text/plain', 'Connection' => 'close' } ];
+-ok($tf->handle_http($t) == 0, 'Connection-header, spaces before ":"');
+-
+ $t->{REQUEST} = ( <<EOF
+ GET /12345.txt HTTP/1.1
+ Connection: ,close
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch
--- lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,49 @@
+commit e757978497c35b2857784f3b4452d0ebef7793f9
+Author: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Mon, 15 Apr 2019 23:36:21 -0400
+
+[core] remove repeated slashes in http-parseopts
+
+remove repeated slashes in server.http-parseopts
+with url-path-dotseg-remove, including leading "//"
+
+(prior to this patch, leading "//" was skipped)
+
+diff --git a/src/burl.c b/src/burl.c
+index c4b928fd..b62a5cd5 100644
+--- a/src/burl.c
++++ b/src/burl.c
+@@ -289,7 +289,7 @@ static int burl_normalize_path (buffer *b, buffer *t, int qs, int flags)
+ path_simplify = 1;
+ break;
+ }
+- do { ++i; } while (i < len && s[i] != '/');
++ while (i < len && s[i] != '/') ++i;
+ if (s[i] == '/' && s[i+1] == '/') { /*(s[len] != '/')*/
+ path_simplify = 1;
+ break;
+diff --git a/src/t/test_burl.c b/src/t/test_burl.c
+index f7a16815..e9cc80de 100644
+--- a/src/t/test_burl.c
++++ b/src/t/test_burl.c
+@@ -98,6 +98,8 @@ static void test_burl_normalize (void) {
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f"), CONST_STR_LEN("//"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f?"), CONST_STR_LEN("//?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b"));
+@@ -112,6 +114,8 @@ static void test_burl_normalize (void) {
+ flags &= ~HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_REJECT;
+
+ flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE;
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("//"), CONST_STR_LEN("/"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a//b"), CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("./a/b"), CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("../a/b"), CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/./b"), CONST_STR_LEN("/a/b"));
+--
+2.20.1
+
diff -Nru lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch
--- lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/core-use-high-precision-stat-timestamp-in-etag.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,27 @@
+From 338c73fd28bf3fbed831b624f2345af02355b329 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 24 Apr 2019 03:35:26 -0400
+Subject: [PATCH] [core] use high precision stat timestamp in etag
+
+use high precision stat timestamp (on systems where available) in etag
+---
+ src/etag.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/etag.c b/src/etag.c
+index c534e4e3..a89c4e51 100644
+--- a/src/etag.c
++++ b/src/etag.c
+@@ -160,6 +160,9 @@ int etag_create(buffer *etag, const struct stat *st, etag_flags_t flags) {
+
+ if (flags & ETAG_USE_MTIME) {
+ buffer_append_int(etag, st->st_mtime);
++ #ifdef st_mtime /* use high-precision timestamp if available */
++ buffer_append_int(etag, st->st_mtim.tv_nsec);
++ #endif
+ }
+
+ return 0;
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch
--- lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_accesslog-parse-multiple-cookies-fixes-2986.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,30 @@
+From 330c39c694a28e32162519c8843f3253ca9546f0 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 16 Oct 2019 23:59:54 -0400
+Subject: [PATCH] [mod_accesslog] parse multiple cookies (fixes #2986)
+
+(thx xoneca)
+
+x-ref:
+ "Cookie format specifier is broken"
+ https://redmine.lighttpd.net/issues/2986
+---
+ src/mod_accesslog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mod_accesslog.c b/src/mod_accesslog.c
+index 77300134..83a12423 100644
+--- a/src/mod_accesslog.c
++++ b/src/mod_accesslog.c
+@@ -1098,7 +1098,7 @@ REQUESTDONE_FUNC(log_access_write) {
+ buffer_free(bstr);
+ break;
+ } else {
+- do { ++str; } while (*str != ' ' && *str != '\t' && *str != '\0');
++ while (*str != ';' && *str != ' ' && *str != '\t' && *str != '\0') ++str;
+ }
+ while (*str == ' ' || *str == '\t') ++str;
+ } while (*str++ == ';');
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch
--- lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_auth-Authentication-Info-nextnonce.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,67 @@
+From 6ad325c659c4f602584c9450242204f410e74952 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 8 Sep 2019 18:22:10 -0400
+Subject: [PATCH] [mod_auth] Authentication-Info: nextnonce=...
+
+send Authentication-Info nextnonce when nonce is approaching expiration
+---
+ src/mod_auth.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_auth.c b/src/mod_auth.c
+index 49ab7a85..34e5e91a 100644
+--- a/src/mod_auth.c
++++ b/src/mod_auth.c
+@@ -532,6 +532,35 @@ static void CvtHex(const HASH Bin, char (*Hex)[33]) {
+ li_tohex(*Hex, sizeof(*Hex), (const char*) Bin, 16);
+ }
+
++static void mod_auth_digest_authentication_info(buffer *b, time_t cur_ts) {
++ li_MD5_CTX Md5Ctx;
++ HASH h;
++ char hh[33];
++
++ force_assert(33 >= LI_ITOSTRING_LENGTH); /*(buffer used for both li_itostrn() and CvtHex())*/
++
++ /* generate nonce */
++
++ /* generate shared-secret */
++ li_MD5_Init(&Md5Ctx);
++
++ li_itostrn(hh, sizeof(hh), cur_ts);
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++ li_itostrn(hh, sizeof(hh), li_rand_pseudo());
++ li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
++
++ li_MD5_Final(h, &Md5Ctx);
++
++ CvtHex(h, &hh);
++
++ buffer_clear(b);
++ buffer_append_string_len(b, CONST_STR_LEN("nextnonce=\""));
++ buffer_append_uint_hex(b, (uintmax_t)cur_ts);
++ buffer_append_string_len(b, CONST_STR_LEN(":"));
++ buffer_append_string_len(b, hh, HASHHEXLEN);
++ buffer_append_string_len(b, CONST_STR_LEN("\""));
++}
++
+ typedef struct {
+ const char *key;
+ int key_len;
+@@ -820,7 +847,12 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
+ /* nonce is stale; have client regenerate digest */
+ buffer_free(b);
+ return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 1);
+- } /*(future: might send nextnonce when expiration is imminent)*/
++ }
++ else if (srv->cur_ts - ts > 540) { /*(9 mins)*/
++ /*(send nextnonce when expiration is approaching)*/
++ mod_auth_digest_authentication_info(srv->tmp_buf, srv->cur_ts);
++ http_header_response_set(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Authentication-Info"), CONST_BUF_LEN(srv->tmp_buf));
++ }
+ }
+
+ http_auth_setenv(con, username, strlen(username), CONST_STR_LEN("Digest"));
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch
--- lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_auth-close-connection-after-bad-password.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,45 @@
+From 8bddac9263aec30a214bc81b3f8f771944ede428 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 7 Jan 2020 01:14:12 -0500
+Subject: [PATCH] [mod_auth] close connection after bad password
+
+mitigation slows down brute force password attacks
+
+x-ref:
+ "Possible feature: authentication brute force hardening"
+ https://redmine.lighttpd.net/boards/3/topics/8885
+---
+ src/mod_auth.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/mod_auth.c b/src/mod_auth.c
+index 5dee41a..599f7b4 100644
+--- a/src/mod_auth.c
++++ b/src/mod_auth.c
+@@ -515,6 +515,7 @@ static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, c
+ case HANDLER_ERROR:
+ default:
+ log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
++ con->keep_alive = 0; /*(disable keep-alive if bad password)*/
+ rc = HANDLER_UNSET;
+ break;
+ }
+@@ -733,6 +734,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
+ return HANDLER_FINISHED;
+ case HANDLER_ERROR:
+ default:
++ con->keep_alive = 0; /*(disable keep-alive if unknown user)*/
+ buffer_free(b);
+ return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
+ }
+@@ -789,6 +791,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
+ /* digest not ok */
+ log_error_write(srv, __FILE__, __LINE__, "sssB",
+ "digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf);
++ con->keep_alive = 0; /*(disable keep-alive if bad password)*/
+
+ buffer_free(b);
+ return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch
--- lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-2975-2976.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,112 @@
+From 0e749c1c84326a51f0f8a80c6db49c31c8e920ab Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 8 Sep 2019 18:26:58 -0400
+Subject: [PATCH] [mod_auth] http_auth_const_time_memeq() (#2975, #2976)
+
+use constant time comparison when comparing digests
+
+(mitigation for brute-force timing attacks against digests
+ generated using the same nonce)
+
+x-ref:
+ "Digest auth nonces are not validated"
+ https://redmine.lighttpd.net/issues/2976
+ "safe_memcmp new function proposal"
+ https://redmine.lighttpd.net/issues/2975
+---
+ src/http_auth.c | 23 +++++++++++++++++++++++
+ src/http_auth.h | 3 +++
+ src/mod_auth.c | 2 +-
+ src/mod_authn_file.c | 2 +-
+ src/mod_authn_mysql.c | 2 +-
+ 5 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/src/http_auth.c b/src/http_auth.c
+index fd6cbd8..360f469 100644
+--- a/src/http_auth.c
++++ b/src/http_auth.c
+@@ -51,6 +51,29 @@ void http_auth_backend_set (const http_auth_backend_t *backend)
+ }
+
+
++int http_auth_const_time_memeq (const void *a, const void *b, const size_t len)
++{
++ /* constant time memory compare, unless compiler figures it out
++ * (similar to mod_secdownload.c:const_time_memeq()) */
++ /* caller should prefer http_auth_const_time_memeq_pad()
++ * if not operating on digests, which have defined lengths */
++ /* Note: some libs provide similar funcs, e.g.
++ * OpenSSL:
++ * int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len)
++ * Note: some OS provide similar funcs, e.g.
++ * OpenBSD: int timingsafe_bcmp(const void *b1, const void *b2, size_t len)
++ * NetBSD: int consttime_memequal(void *b1, void *b2, size_t len)
++ */
++ const volatile unsigned char * const av = (const unsigned char *)a;
++ const volatile unsigned char * const bv = (const unsigned char *)b;
++ int diff = 0;
++ for (size_t i = 0; i < len; ++i) {
++ diff |= (av[i] ^ bv[i]);
++ }
++ return (0 == diff);
++}
++
++
+ int http_auth_const_time_memeq_pad (const void *a, const size_t alen, const void *b, const size_t blen)
+ {
+ /* constant time memory compare, unless compiler figures it out
+diff --git a/src/http_auth.h b/src/http_auth.h
+index df8690a..efa6b1d 100644
+--- a/src/http_auth.h
++++ b/src/http_auth.h
+@@ -44,6 +44,8 @@ void http_auth_scheme_set (const http_auth_scheme_t *scheme);
+ const http_auth_backend_t * http_auth_backend_get (const buffer *name);
+ void http_auth_backend_set (const http_auth_backend_t *backend);
+
++int http_auth_const_time_memeq (const void *a, const void *b, size_t len);
++
+ int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen);
+
+ void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen);
+diff --git a/src/mod_auth.c b/src/mod_auth.c
+index 977b5c2..5dee41a 100644
+--- a/src/mod_auth.c
++++ b/src/mod_auth.c
+@@ -785,7 +785,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
+ li_MD5_Final(RespHash, &Md5Ctx);
+ CvtHex(RespHash, &a2);
+
+- if (0 != strcmp(a2, respons)) {
++ if (!http_auth_const_time_memeq(a2, respons, HASHHEXLEN)) {
+ /* digest not ok */
+ log_error_write(srv, __FILE__, __LINE__, "sssB",
+ "digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf);
+diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c
+index cd28bc0..352ba1a 100644
+--- a/src/mod_authn_file.c
++++ b/src/mod_authn_file.c
+@@ -296,7 +296,7 @@ static handler_t mod_authn_file_htdigest_basic(server *srv, connection *con, voi
+ li_MD5_Final(HA1, &Md5Ctx);
+
+ UNUSED(con);
+- return (0 == memcmp(HA1, htdigest, sizeof(HA1))
++ return (http_auth_const_time_memeq(htdigest, HA1, sizeof(HA1))
+ && http_auth_match_rules(require, username->ptr, NULL, NULL))
+ ? HANDLER_GO_ON
+ : HANDLER_ERROR;
+diff --git a/src/mod_authn_mysql.c b/src/mod_authn_mysql.c
+index 3a41cd4..1ce10b8 100644
+--- a/src/mod_authn_mysql.c
++++ b/src/mod_authn_mysql.c
+@@ -380,7 +380,7 @@ static int mod_authn_mysql_password_cmp(const char *userpw, unsigned long userpw
+ /*(compare 16-byte MD5 binary instead of converting to hex strings
+ * in order to then have to do case-insensitive hex str comparison)*/
+ return (0 == http_auth_md5_hex2bin(userpw, 32 /*(userpwlen)*/, md5pw))
+- ? memcmp(HA1, md5pw, sizeof(md5pw))
++ ? http_auth_const_time_memeq(HA1, md5pw, sizeof(md5pw)) ? 0 : 1
+ : -1;
+ }
+
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch
--- lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq-improvement.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,46 @@
+From ea6006944bc6de9eba8b9fa44cc326005bde5091 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sat, 7 Sep 2019 13:37:36 -0400
+Subject: [PATCH] [mod_auth] http_auth_const_time_memeq improvement
+
+employ volatile, which might matter with some compilers (or might not)
+explicitly check that string lengths match
+ (or else might match string where last char of short string matches
+ repeated chars in longer string)
+---
+ src/http_auth.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/http_auth.c b/src/http_auth.c
+index e9a64f60..d3d3f6dd 100644
+--- a/src/http_auth.c
++++ b/src/http_auth.c
+@@ -56,11 +56,22 @@ int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b,
+ /* constant time memory compare, unless compiler figures it out
+ * (similar to mod_secdownload.c:const_time_memeq()) */
+ /* round to next multiple of 64 to avoid potentially leaking exact
+- * password length when subject to high precision timing attacks) */
++ * password length when subject to high precision timing attacks)
++ * (not necessary when comparing digests, which have defined lengths)
++ */
++ /* Note: some libs provide similar funcs but might not obscure length, e.g.
++ * OpenSSL:
++ * int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len)
++ * Note: some OS provide similar funcs but might not obscure length, e.g.
++ * OpenBSD: int timingsafe_bcmp(const void *b1, const void *b2, size_t len)
++ * NetBSD: int consttime_memequal(void *b1, void *b2, size_t len)
++ */
++ const volatile unsigned char * const av = (const unsigned char *)a;
++ const volatile unsigned char * const bv = (const unsigned char *)b;
+ size_t lim = ((alen >= blen ? alen : blen) + 0x3F) & ~0x3F;
+- int diff = 0;
++ int diff = (alen != blen); /*(never match if string length mismatch)*/
+ for (size_t i = 0, j = 0; lim; --lim) {
+- diff |= (a[i] ^ b[j]);
++ diff |= (av[i] ^ bv[j]);
+ i += (i < alen);
+ j += (j < blen);
+ }
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch
--- lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_auth-http_auth_const_time_memeq_pad.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,57 @@
+From 89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 8 Sep 2019 18:25:39 -0400
+Subject: [PATCH] [mod_auth] http_auth_const_time_memeq_pad()
+
+rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad()
+for constant time padded comparison of strings of potentially different
+length
+---
+ src/http_auth.c | 2 +-
+ src/http_auth.h | 4 +++-
+ src/mod_authn_file.c | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/http_auth.c b/src/http_auth.c
+index d3d3f6dd..24c2319a 100644
+--- a/src/http_auth.c
++++ b/src/http_auth.c
+@@ -51,7 +51,7 @@ void http_auth_backend_set (const http_auth_backend_t *backend)
+ }
+
+
+-int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, const size_t blen)
++int http_auth_const_time_memeq_pad (const void *a, const size_t alen, const void *b, const size_t blen)
+ {
+ /* constant time memory compare, unless compiler figures it out
+ * (similar to mod_secdownload.c:const_time_memeq()) */
+diff --git a/src/http_auth.h b/src/http_auth.h
+index e652d71..df8690a 100644
+--- a/src/http_auth.h
++++ b/src/http_auth.h
+@@ -43,7 +43,8 @@ const http_auth_scheme_t * http_auth_scheme_get (const buffer *name);
+ void http_auth_scheme_set (const http_auth_scheme_t *scheme);
+ const http_auth_backend_t * http_auth_backend_get (const buffer *name);
+ void http_auth_backend_set (const http_auth_backend_t *backend);
+-int http_auth_const_time_memeq (const char *a, size_t alen, const char *b, size_t blen);
++
++int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen);
+
+ void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen);
+
+diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c
+index db1a241..cd28bc0 100644
+--- a/src/mod_authn_file.c
++++ b/src/mod_authn_file.c
+@@ -394,7 +394,7 @@ static handler_t mod_authn_file_plain_basic(server *srv, connection *con, void *
+ mod_authn_file_patch_connection(srv, con, p);
+ rc = mod_authn_file_htpasswd_get(srv, p->conf.auth_plain_userfile, username, password_buf);
+ if (0 == rc) {
+- rc = http_auth_const_time_memeq(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1;
++ rc = http_auth_const_time_memeq_pad(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1;
+ }
+ buffer_free(password_buf);
+ UNUSED(con);
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch
--- lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,84 @@
+From e9440ecfdf2b9497f3ae720d6e5219fd0ad6b9f9 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sat, 7 Sep 2019 16:37:00 -0400
+Subject: [PATCH] [mod_authn_gssapi] 500 if fail to delegate creds (#2967)
+
+x-ref:
+ "mod_authn_gssapi requires delegation?"
+ https://redmine.lighttpd.net/issues/2967
+---
+ src/mod_authn_gssapi.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/src/mod_authn_gssapi.c b/src/mod_authn_gssapi.c
+index 4439c3ba..7200408c 100644
+--- a/src/mod_authn_gssapi.c
++++ b/src/mod_authn_gssapi.c
+@@ -269,6 +269,13 @@ static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plu
+ * HTTP auth Negotiate
+ */
+
++static handler_t mod_authn_gssapi_send_500_server_error (connection *con)
++{
++ con->http_status = 500;
++ con->mode = DIRECT;
++ return HANDLER_FINISHED;
++}
++
+ static handler_t mod_authn_gssapi_send_401_unauthorized_negotiate (connection *con)
+ {
+ con->http_status = 401;
+@@ -334,7 +341,7 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu
+ gss_name_t client_name = GSS_C_NO_NAME;
+
+ buffer *sprinc;
+- int ret = 0;
++ handler_t rc = HANDLER_UNSET;
+
+ buffer *t_in = buffer_init();
+ if (!buffer_append_base64_decode(t_in, realm_str, strlen(realm_str), BASE64_STANDARD)) {
+@@ -421,19 +428,24 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu
+ goto end;
+ }
+
+- if (!(acc_flags & GSS_C_DELEG_FLAG)) {
+- log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
+- goto end;
+- }
+-
+ /* check the allow-rules */
+ if (!http_auth_match_rules(require, token_out.value, NULL, NULL)) {
+ goto end;
+ }
+
+- ret = mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred);
+- if (ret)
+- http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
++ {
++ if (!(acc_flags & GSS_C_DELEG_FLAG)) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
++ goto end;
++ }
++ else if (!mod_authn_gssapi_store_gss_creds(srv, con, p, token_out.value, client_cred)) {
++ rc = mod_authn_gssapi_send_500_server_error(con);
++ goto end;
++ }
++ }
++
++ http_auth_setenv(con, token_out.value, token_out.length, CONST_STR_LEN("GSSAPI"));
++ rc = HANDLER_GO_ON; /* success */
+
+ end:
+ buffer_free(t_in);
+@@ -459,7 +471,7 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu
+ if (token_out.length)
+ gss_release_buffer(&st_minor, &token_out);
+
+- return ret ? HANDLER_GO_ON : mod_authn_gssapi_send_401_unauthorized_negotiate(con);
++ return rc != HANDLER_UNSET ? rc : mod_authn_gssapi_send_401_unauthorized_negotiate(con);
+ }
+
+ static handler_t mod_authn_gssapi_check (server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend)
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch
--- lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_authn_gssapi-option-to-store-delegated-creds-fix.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,85 @@
+From 339064228589f8f76c905abd2de3e5f744539c86 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sat, 7 Sep 2019 17:59:21 -0400
+Subject: [PATCH] [mod_authn_gssapi] option to store delegated creds (fixes
+ #2967)
+
+default enabled for backwards compatibility; disable in future
+
+(thx lameventanas)
+
+x-ref:
+ "mod_authn_gssapi requires delegation?"
+ https://redmine.lighttpd.net/issues/2967
+---
+ src/mod_authn_gssapi.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_authn_gssapi.c b/src/mod_authn_gssapi.c
+index 7200408c..b19c6287 100644
+--- a/src/mod_authn_gssapi.c
++++ b/src/mod_authn_gssapi.c
+@@ -41,6 +41,7 @@
+ typedef struct {
+ buffer *auth_gssapi_keytab;
+ buffer *auth_gssapi_principal;
++ unsigned short int auth_gssapi_store_creds;
+ } plugin_config;
+
+ typedef struct {
+@@ -101,6 +102,7 @@ SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) {
+ config_values_t cv[] = {
+ { "auth.backend.gssapi.keytab", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
+ { "auth.backend.gssapi.principal", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
++ { "auth.backend.gssapi.store-creds",NULL, T_CONFIG_BOOLEAN,T_CONFIG_SCOPE_CONNECTION },
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ };
+
+@@ -117,6 +119,9 @@ SETDEFAULTS_FUNC(mod_authn_gssapi_set_defaults) {
+
+ cv[0].destination = s->auth_gssapi_keytab;
+ cv[1].destination = s->auth_gssapi_principal;
++ cv[2].destination = &s->auth_gssapi_store_creds;
++ /* default enabled for backwards compatibility; disable in future */
++ s->auth_gssapi_store_creds = 1;
+
+ p->config_storage[i] = s;
+
+@@ -137,6 +142,7 @@ static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugi
+
+ PATCH(auth_gssapi_keytab);
+ PATCH(auth_gssapi_principal);
++ PATCH(auth_gssapi_store_creds);
+
+ /* skip the first, the global context */
+ for (i = 1; i < srv->config_context->used; i++) {
+@@ -154,6 +160,8 @@ static int mod_authn_gssapi_patch_connection(server *srv, connection *con, plugi
+ PATCH(auth_gssapi_keytab);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.principal"))) {
+ PATCH(auth_gssapi_principal);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.gssapi.store-creds"))) {
++ PATCH(auth_gssapi_store_creds);
+ }
+ }
+ }
+@@ -433,7 +441,7 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu
+ goto end;
+ }
+
+- {
++ if (p->conf.auth_gssapi_store_creds) {
+ if (!(acc_flags & GSS_C_DELEG_FLAG)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "Unable to delegate credentials for user:", token_out.value);
+ goto end;
+@@ -731,6 +739,8 @@ static handler_t mod_authn_gssapi_basic(server *srv, connection *con, void *p_d,
+ goto end;
+ }
+
++ if (!p->conf.auth_gssapi_store_creds) goto end;
++
+ ret = krb5_cc_resolve(kcontext, "MEMORY:", &ret_ccache);
+ if (ret) {
+ mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, ret);
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch
--- lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,49 @@
+From ae9cafecea3ca0786dfad260ca064fc824e5ccc9 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Mon, 27 May 2019 02:05:51 -0400
+Subject: [PATCH] [mod_authn_ldap] ldap_set_option LDAP_OPT_RESTART (fixes
+ #2940)
+
+ldap_set_option LDAP_OPT_RESTART to handle EINTR on SIGCHLD from CGI
+
+(ldap uses poll(), which is not restartable with sigaction SA_RESTART)
+
+x-ref:
+ "mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server""
+ https://redmine.lighttpd.net/issues/2940
+---
+ src/mod_authn_ldap.c | 3 +++
+ src/mod_vhostdb_ldap.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/mod_authn_ldap.c b/src/mod_authn_ldap.c
+index 26191f5c..f95234bd 100644
+--- a/src/mod_authn_ldap.c
++++ b/src/mod_authn_ldap.c
+@@ -404,6 +404,9 @@ static LDAP * mod_authn_ldap_host_init(server *srv, plugin_config *s) {
+ return NULL;
+ }
+
++ /* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */
++ ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
++
+ if (s->auth_ldap_starttls) {
+ /* if no CA file is given, it is ok, as we will use encryption
+ * if the server requires a CAfile it will tell us */
+diff --git a/src/mod_vhostdb_ldap.c b/src/mod_vhostdb_ldap.c
+index e5362c40..234c2ba7 100644
+--- a/src/mod_vhostdb_ldap.c
++++ b/src/mod_vhostdb_ldap.c
+@@ -256,6 +256,9 @@ static LDAP * mod_authn_ldap_host_init(server *srv, vhostdb_config *s) {
+ return NULL;
+ }
+
++ /* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */
++ ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
++
+ if (s->starttls) {
+ /* if no CA file is given, it is ok, as we will use encryption
+ * if the server requires a CAfile it will tell us */
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch
--- lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_auth-require-digest-uri-match-original-URI.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,60 @@
+From c81bd354b258121f6491f44f924bc7c715bd9389 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 8 Sep 2019 15:07:25 -0400
+Subject: [PATCH] [mod_auth] require digest uri= match original URI
+
+lighttpd requires a strict match between the request URI and the uri=
+auth-param provided in the Authenticate header. lighttpd does not
+attempt to determine if different URIs are semantically equivalent.
+
+This commit removes a condition which permitted an Authenticate header
+with a uri= containing a query-string to be used with the request-uri
+which did not contain any query-string. The condition was likely added
+in the original implementation which operated on lighttpd request.uri
+instead of the correct request.orig_uri (original URI sent to lighttpd).
+
+.
+
+HTTP Digest Access Authentication
+https://www.rfc-editor.org/rfc/rfc7616.txt
+
+3.4.6. Various Considerations
+
+ The authenticating server MUST assure that the resource designated by
+ the "uri" parameter is the same as the resource specified in the
+ Request-Line; if they are not, the server SHOULD return a 400 Bad
+ Request error. (Since this may be a symptom of an attack, server
+ implementers may want to consider logging such errors.) The purpose
+ of duplicating information from the request URL in this field is to
+ deal with the possibility that an intermediate proxy may alter the
+ client's Request-Line. This altered (but presumably semantically
+ equivalent) request would not result in the same digest as that
+ calculated by the client.
+
+x-ref:
+ "HTTP Digest Access Authentication"
+ https://www.rfc-editor.org/rfc/rfc7616.txt
+ "HTTP digest authentication not compatible with some clients"
+ https://redmine.lighttpd.net/issues/2974
+---
+ src/mod_auth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/mod_auth.c b/src/mod_auth.c
+index 61d4c10c..49ab7a85 100644
+--- a/src/mod_auth.c
++++ b/src/mod_auth.c
+@@ -1076,9 +1076,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
+ * uri sent in client request. */
+ {
+ const size_t ulen = strlen(uri);
+- const size_t rlen = buffer_string_length(con->request.orig_uri);
+- if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)
+- && !(rlen < ulen && 0 == memcmp(con->request.orig_uri->ptr, uri, rlen) && uri[rlen] == '?')) {
++ if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)) {
+ log_error_write(srv, __FILE__, __LINE__, "sbsssB",
+ "digest: auth failed: uri mismatch (", con->request.orig_uri, "!=", uri, "), IP:", con->dst_addr_buf);
+ buffer_free(b);
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch
--- lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch 1969-12-31 19:00:00.000000000 -0500
+++ lighttpd-1.4.53/debian/patches/mod_openssl-reject-invalid-ALPN.patch 2020-03-21 19:30:00.000000000 -0400
@@ -0,0 +1,25 @@
+From fa8856757c59e1ecea4dc1bd208a78c7e0a7eeea Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 16 Oct 2019 23:54:46 -0400
+Subject: [PATCH] [mod_openssl] reject invalid ALPN
+
+---
+ src/mod_openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mod_openssl.c b/src/mod_openssl.c
+index f9a4fe82..27015f9a 100644
+--- a/src/mod_openssl.c
++++ b/src/mod_openssl.c
+@@ -662,7 +662,7 @@ mod_openssl_alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char *
+
+ for (unsigned int i = 0, n; i < inlen; i += n) {
+ n = in[i++];
+- if (i+n > inlen) break;
++ if (i+n > inlen || 0 == n) break;
+ switch (n) {
+ #if 0
+ case 2: /* "h2" */
+--
+2.25.1
+
diff -Nru lighttpd-1.4.53/debian/patches/series lighttpd-1.4.53/debian/patches/series
--- lighttpd-1.4.53/debian/patches/series 2019-04-13 00:00:00.000000000 -0400
+++ lighttpd-1.4.53/debian/patches/series 2020-03-21 19:30:00.000000000 -0400
@@ -3,3 +3,25 @@
core-fix-assertion-with-server.error-handler-fixes-2.patch
mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
core-fix-abort-in-http-parseopts-fixes-2945.patch
+core-remove-repeated-slashes-in-http-parseopts.patch
+core-fix-1.4.52-regression-in-mem-use-with-POST-fixe.patch
+core-200-for-OPTIONS-non-existent-path-HTTP-1.1-fixe.patch
+core-use-high-precision-stat-timestamp-in-etag.patch
+mod_authn_ldap-ldap_set_option-LDAP_OPT_RESTART-fixe.patch
+core-allocate-unix-socket-paths-with-SUN_LEN-1-fixes.patch
+core-issue-config-error-for-invalid-fixes-2980.patch
+mod_authn_gssapi-500-if-fail-to-delegate-creds-2967.patch
+mod_authn_gssapi-option-to-store-delegated-creds-fix.patch
+mod_auth-require-digest-uri-match-original-URI.patch
+mod_auth-Authentication-Info-nextnonce.patch
+mod_auth-http_auth_const_time_memeq-improvement.patch
+mod_auth-http_auth_const_time_memeq_pad.patch
+mod_auth-http_auth_const_time_memeq-2975-2976.patch
+core-reject-WS-following-header-field-name-fixes-298.patch
+core-reject-Transfer-Encoding-Content-Length-2985.patch
+mod_openssl-reject-invalid-ALPN.patch
+mod_accesslog-parse-multiple-cookies-fixes-2986.patch
+core-preserve-2b-and-2B-in-query-string-fixes-2999.patch
+mod_auth-close-connection-after-bad-password.patch
+core-do-not-accept-server.max-connections.patch
+config-update-var-run-run-for-systemd.patch
Reply to: