Bug#961843: marked as done (buster-pu: package lighttpd/1.4.53-4)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#961843: marked as done (buster-pu: package lighttpd/1.4.53-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Sep 2020 10:39:08 +0000
Message-id: <[🔎] handler.961843.D961843.160111664726352.ackdone@bugs.debian.org>
Reply-to: 961843@bugs.debian.org
References: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk> <159082827432.14389.1554897736402054732.reportbug@buster-alpha.gluelogic.com>

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #961843,
regarding buster-pu: package lighttpd/1.4.53-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
961843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961843
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package lighttpd/1.4.53-4
From: Glenn Strauss <gs-debian.org@gluelogic.com>
Date: Sat, 30 May 2020 04:44:34 -0400
Message-id: <159082827432.14389.1554897736402054732.reportbug@buster-alpha.gluelogic.com>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Maintainer,

Greetings!  I am an upstream maintainer of lighttpd.

Please accept this backport of important patches from
  lighttpd 1.4.54 (released 2019.05.27)
  lighttpd 1.4.55 (released 2020.01.31)

The patches to backport have been hand-selected from the release
available in buster-backports lighttpd 1.4.55-1~bpo10+1 since 2020.03.06

These patches fix important bugs from upstream lighttpd issue tracker
  https://redmine.lighttpd.net/issues  (direct links below)
including a couple in the Debian Bug Tracker
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954759
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203

>From the debian/changelog:
  * backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55
    + mod_evhost, mod_flv_streaming:
      [regression] %0 pattern does not match hostnames without the domain part
      https://redmine.lighttpd.net/issues/2932
    + mod_magnet: Lighttpd crashes on wrong return type in lua script
      https://redmine.lighttpd.net/issues/2938
    + failed assertion on incoming bad request with server.error-handler
      https://redmine.lighttpd.net/issues/2941
    + mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures
      https://redmine.lighttpd.net/issues/2944
    + fix abort in server.http-parseopts with url-path-2f-decode enabled
      https://redmine.lighttpd.net/issues/2945
    + remove repeated slashes in server.http-parseopts with url-path-dotseg-remove, including leading "//"
    + [regression][Bisected] lighttpd uses way more memory with POST since 1.4.52
      https://redmine.lighttpd.net/issues/2948 (closes: #954759)
    + OPTIONS should return 2xx status for non-existent resources if Allow is set
      https://redmine.lighttpd.net/issues/2939
    + use high precision stat timestamp (on systems where available) in etag
    + mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"
      https://redmine.lighttpd.net/issues/2940
    + SUN_LEN in sock_addr.c (1.4.53, 1.4.54)
      https://redmine.lighttpd.net/issues/2962
    + Embedded vim command line in conf file with no comment (#) hangs server
      https://redmine.lighttpd.net/issues/2980
    + mod_authn_gssapi: 500 if fail to delegate creds
      https://redmine.lighttpd.net/issues/2967
    + mod_authn_gssapi: option to store delegated creds
      https://redmine.lighttpd.net/issues/2967
    + mod_auth: require digest uri= match original URI
      HTTP digest authentication not compatible with some clients
      https://redmine.lighttpd.net/issues/2974
    + mod_auth: send Authentication-Info nextnonce when nonce is approaching expiration
    + mod_auth: http_auth_const_time_memeq improvement
    + mod_auth: http_auth_const_time_memeq_pad()
    + mod_auth: use constant time comparison when comparing digests
    + stricter request header parsing: reject WS following header field-name
      https://redmine.lighttpd.net/issues/2985
    + stricter request header parsing: reject Transfer-Encoding + Content-Length
      https://redmine.lighttpd.net/issues/2985
    + mod_openssl: reject invalid ALPN
    + mod_accesslog: parse multiple cookies
      https://redmine.lighttpd.net/issues/2986
    + preserve %2b and %2B in query string
      https://redmine.lighttpd.net/issues/2999
    + mod_auth: close connection after bad password
      mitigation slows down brute force password attacks
      https://redmine.lighttpd.net/boards/3/topics/8885
    + do not accept() > server.max-connections
    + update /var/run -> /run for systemd (closes: #929203)

debdiff attached.  I think it may be easier to review the contents of
the files in debian/patches to see that the patches are generally small.

Please advise how best to proceed.
Thank you!  Glenn

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Attachment: lighttpd-1.4.53-4+deb10u1.diff.xz
Description: application/xz

--- End Message ---

--- Begin Message ---

To: 947464-done@bugs.debian.org, 949826-done@bugs.debian.org, 953614-done@bugs.debian.org, 961843-done@bugs.debian.org, 965334-done@bugs.debian.org, 967995-done@bugs.debian.org, 967996-done@bugs.debian.org, 968037-done@bugs.debian.org, 968296-done@bugs.debian.org, 968502-done@bugs.debian.org, 968515-done@bugs.debian.org, 968548-done@bugs.debian.org, 968723-done@bugs.debian.org, 968846-done@bugs.debian.org, 969066-done@bugs.debian.org, 969163-done@bugs.debian.org, 969172-done@bugs.debian.org, 969190-done@bugs.debian.org, 969272-done@bugs.debian.org, 969348-done@bugs.debian.org, 969349-done@bugs.debian.org, 969366-done@bugs.debian.org, 969369-done@bugs.debian.org, 969706-done@bugs.debian.org, 969912-done@bugs.debian.org, 970096-done@bugs.debian.org, 970098-done@bugs.debian.org, 970132-done@bugs.debian.org, 970239-done@bugs.debian.org, 970241-done@bugs.debian.org, 970296-done@bugs.debian.org, 970307-done@bugs.debian.org, 970311-done@bugs.debian.org, 970349-done@bugs.debian.org, 970387-done@bugs.debian.org, 970424-done@bugs.debian.org, 970427-done@bugs.debian.org, 970549-done@bugs.debian.org, 970563-done@bugs.debian.org, 970564-done@bugs.debian.org, 970569-done@bugs.debian.org, 970583-done@bugs.debian.org, 970584-done@bugs.debian.org

Subject: Closing bugs for fixes included in 10.6 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Sep 2020 11:36:30 +0100

Message-id: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#953614: marked as done (buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2)
Next by Date: Bug#967996: marked as done (buster-pu: package gupnp/1.0.5-0+deb10u1)
Previous by thread: Bug#953614: marked as done (buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2)
Next by thread: Bug#967996: marked as done (buster-pu: package gupnp/1.0.5-0+deb10u1)
Index(es):
- Date
- Thread