Hello community,
here is the log from the commit of package lighttpd for openSUSE:11.4
checked in at Mon Jan 30 23:59:53 CET 2012.
--------
--- old-versions/11.4/all/lighttpd/lighttpd.changes 2010-04-22 13:55:48.000000000 +0200
+++ 11.4/lighttpd/lighttpd.changes 2012-01-27 12:19:47.000000000 +0100
@@ -1,0 +2,13 @@
+Fri Jan 27 11:18:04 UTC 2012 - mrueckert@suse.de
+
+- added lighttpd-1.4.26_honor_cipher_order.patch:
+ [ssl] add option to honor server cipher order, true by default
+ (fixes lighttpd#2364)
+
+-------------------------------------------------------------------
+Wed Dec 21 17:54:06 UTC 2011 - mrueckert@suse.de
+
+- added lighttpd-1.4.x_mod_auth_signedness_error.patch:
+ Fix a small signedness error in mod_auth CVE-2011-4362 (bnc#733607)
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/lighttpd
Destination is old-versions/11.4/UPDATES/all/lighttpd
calling whatdependson for 11.4-i586
New:
----
lighttpd-1.4.26_honor_cipher_order.patch
lighttpd-1.4.x_mod_auth_signedness_error.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lighttpd.spec ++++++
--- /var/tmp/diff_new_pack.gEQPoC/_old 2012-01-30 23:59:12.000000000 +0100
+++ /var/tmp/diff_new_pack.gEQPoC/_new 2012-01-30 23:59:12.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package lighttpd (Version 1.4.26)
+# spec file for package lighttpd
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
Name: lighttpd
Version: 1.4.26
-Release: 2
+Release: 6.<RELEASE7>
#
%define pkg_name lighttpd
%define pkg_user lighttpd
@@ -92,6 +92,8 @@
Source7: lighttpd.logrotate
Patch: lighttpd-1.4.13_geoip.patch
Patch1: lighttpd-ssl-retval-fix.patch
+Patch2: lighttpd-1.4.x_mod_auth_signedness_error.patch
+Patch3: lighttpd-1.4.26_honor_cipher_order.patch
#
Summary: A Secure, Fast, Compliant, and Very Flexible Web Server
@@ -284,6 +286,8 @@
%patch
%endif
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
%if 0%{?with_geoip}
++++++ lighttpd-1.4.26_honor_cipher_order.patch ++++++
commit 687b52298d7d87a5ce0919f34a1666724a709c88
Author: Stefan Bühler
Date: Wed Nov 30 19:59:24 2011 +0000
[ssl] add option to honor server cipher order, true by default (fixes #2364)
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2810 152afb58-edef-0310-8abb-c4023f1b3aa9
Conflicts:
NEWS
doc/config/lighttpd.conf
src/base.h
src/configfile.c
diff --git a/src/base.h b/src/base.h
index 4243bd2..9d4efa0 100644
--- a/src/base.h
+++ b/src/base.h
@@ -275,6 +275,7 @@ typedef struct {
buffer *ssl_pemfile;
buffer *ssl_ca_file;
buffer *ssl_cipher_list;
+ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
unsigned short ssl_use_sslv2;
unsigned short ssl_verifyclient;
unsigned short ssl_verifyclient_enforce;
diff --git a/src/configfile.c b/src/configfile.c
index 3037185..1137825 100644
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -100,6 +100,7 @@ static int config_insert(server *srv) {
{ "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER }, /* 58 */
{ "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 59 */
{ "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */
+ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 61 */
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -168,6 +169,7 @@ static int config_insert(server *srv) {
s->max_write_idle = 360;
s->use_xattr = 0;
s->is_ssl = 0;
+ s->ssl_honor_cipher_order = 1;
s->ssl_use_sslv2 = 0;
s->use_ipv6 = 0;
s->defer_accept = 0;
@@ -231,6 +233,7 @@ static int config_insert(server *srv) {
cv[47].destination = s->ssl_cipher_list;
cv[48].destination = &(s->ssl_use_sslv2);
+ cv[61].destination = &(s->ssl_honor_cipher_order);
cv[49].destination = &(s->etag_use_inode);
cv[50].destination = &(s->etag_use_mtime);
cv[51].destination = &(s->etag_use_size);
@@ -319,6 +322,7 @@ int config_setup_connection(server *srv, connection *con) {
#endif
PATCH(ssl_ca_file);
PATCH(ssl_cipher_list);
+ PATCH(ssl_honor_cipher_order);
PATCH(ssl_use_sslv2);
PATCH(etag_use_inode);
PATCH(etag_use_mtime);
@@ -383,6 +387,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
#endif
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
PATCH(ssl_ca_file);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
+ PATCH(ssl_honor_cipher_order);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
PATCH(ssl_use_sslv2);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
diff --git a/src/network.c b/src/network.c
index b362129..be452a6 100644
--- a/src/network.c
+++ b/src/network.c
@@ -539,6 +539,10 @@ int network_init(server *srv) {
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
+
+ if (s->ssl_honor_cipher_order) {
+ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
}
if (!buffer_is_empty(s->ssl_ca_file)) {
++++++ lighttpd-1.4.x_mod_auth_signedness_error.patch ++++++
commit 1adaac589ced706e1badd751f54390086b1d0767
Author: Marcus Rückert
Date: Tue Dec 20 13:08:51 2011 +0100
- merge 6c9dff7cda6593d9a566413347dd5adfe80c86a8
[mod_auth] Fix signedness error in http_auth (fixes #2370,
CVE-2011-4362)
diff --git a/src/http_auth.c b/src/http_auth.c
index 0c0c4a5..6609dc7 100644
--- a/src/http_auth.c
+++ b/src/http_auth.c
@@ -89,7 +89,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) {
ch = in[0];
/* run through the whole string, converting as we go */
for (i = 0; i < in_len; i++) {
- ch = in[i];
+ ch = (unsigned char) in[i];
if (ch == '\0') break;
diff --git a/tests/mod-auth.t b/tests/mod-auth.t
index 475a5f6..89ead9d 100755
--- a/tests/mod-auth.t
+++ b/tests/mod-auth.t
@@ -8,7 +8,7 @@ BEGIN {
use strict;
use IO::Socket;
-use Test::More tests => 14;
+use Test::More tests => 15;
use LightyTest;
my $tf = LightyTest->new();
@@ -25,6 +25,14 @@ ok($tf->handle_http($t) == 0, 'Missing Auth-token');
$t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
+
+$t->{REQUEST} = ( <