commit lighttpd for openSUSE:11.4

30 Jan 2012

Hello community,

here is the log from the commit of package lighttpd for openSUSE:11.4
checked in at Mon Jan 30 23:59:53 CET 2012.



--------
--- old-versions/11.4/all/lighttpd/lighttpd.changes	2010-04-22 13:55:48.000000000 +0200
+++ 11.4/lighttpd/lighttpd.changes	2012-01-27 12:19:47.000000000 +0100
@@ -1,0 +2,13 @@
+Fri Jan 27 11:18:04 UTC 2012 - mrueckert@suse.de
+
+- added lighttpd-1.4.26_honor_cipher_order.patch:
+  [ssl] add option to honor server cipher order, true by default
+  (fixes lighttpd#2364)
+
+-------------------------------------------------------------------
+Wed Dec 21 17:54:06 UTC 2011 - mrueckert@suse.de
+
+- added lighttpd-1.4.x_mod_auth_signedness_error.patch:
+  Fix a small signedness error in mod_auth CVE-2011-4362 (bnc#733607)
+
+-------------------------------------------------------------------

Package does not exist at destination yet. Using Fallback old-versions/11.4/all/lighttpd
Destination is old-versions/11.4/UPDATES/all/lighttpd
calling whatdependson for 11.4-i586


New:
----
  lighttpd-1.4.26_honor_cipher_order.patch
  lighttpd-1.4.x_mod_auth_signedness_error.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ lighttpd.spec ++++++
--- /var/tmp/diff_new_pack.gEQPoC/_old	2012-01-30 23:59:12.000000000 +0100
+++ /var/tmp/diff_new_pack.gEQPoC/_new	2012-01-30 23:59:12.000000000 +0100
@@ -1,7 +1,7 @@
 #
-# spec file for package lighttpd (Version 1.4.26)
+# spec file for package lighttpd
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 
 Name:           lighttpd
 Version:        1.4.26
-Release:        2
+Release:        6.<RELEASE7>
 #
 %define pkg_name lighttpd
 %define pkg_user lighttpd
@@ -92,6 +92,8 @@
 Source7:        lighttpd.logrotate
 Patch:          lighttpd-1.4.13_geoip.patch
 Patch1:         lighttpd-ssl-retval-fix.patch
+Patch2:         lighttpd-1.4.x_mod_auth_signedness_error.patch
+Patch3:         lighttpd-1.4.26_honor_cipher_order.patch
 #
 Summary:        A Secure, Fast, Compliant, and Very Flexible Web Server
 
@@ -284,6 +286,8 @@
 %patch
 %endif
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 %if 0%{?with_geoip}

++++++ lighttpd-1.4.26_honor_cipher_order.patch ++++++
commit 687b52298d7d87a5ce0919f34a1666724a709c88
Author: Stefan Bühler 
Date:   Wed Nov 30 19:59:24 2011 +0000

    [ssl] add option to honor server cipher order, true by default (fixes #2364)
    
    git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2810 152afb58-edef-0310-8abb-c4023f1b3aa9
    
    Conflicts:
    
    	NEWS
    	doc/config/lighttpd.conf
    	src/base.h
    	src/configfile.c

diff --git a/src/base.h b/src/base.h
index 4243bd2..9d4efa0 100644
--- a/src/base.h
+++ b/src/base.h
@@ -275,6 +275,7 @@ typedef struct {
 	buffer *ssl_pemfile;
 	buffer *ssl_ca_file;
 	buffer *ssl_cipher_list;
+	unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
 	unsigned short ssl_use_sslv2;
 	unsigned short ssl_verifyclient;
 	unsigned short ssl_verifyclient_enforce;
diff --git a/src/configfile.c b/src/configfile.c
index 3037185..1137825 100644
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -100,6 +100,7 @@ static int config_insert(server *srv) {
 		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER },     /* 58 */
 		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER },     /* 59 */
 		{ "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 60 */
+		{ "ssl.honor-cipher-order",      NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 61 */
 		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -168,6 +169,7 @@ static int config_insert(server *srv) {
 		s->max_write_idle = 360;
 		s->use_xattr     = 0;
 		s->is_ssl        = 0;
+		s->ssl_honor_cipher_order = 1;
 		s->ssl_use_sslv2 = 0;
 		s->use_ipv6      = 0;
 		s->defer_accept  = 0;
@@ -231,6 +233,7 @@ static int config_insert(server *srv) {
 
 		cv[47].destination = s->ssl_cipher_list;
 		cv[48].destination = &(s->ssl_use_sslv2);
+		cv[61].destination = &(s->ssl_honor_cipher_order);
 		cv[49].destination = &(s->etag_use_inode);
 		cv[50].destination = &(s->etag_use_mtime);
 		cv[51].destination = &(s->etag_use_size);
@@ -319,6 +322,7 @@ int config_setup_connection(server *srv, connection *con) {
 #endif
 	PATCH(ssl_ca_file);
 	PATCH(ssl_cipher_list);
+	PATCH(ssl_honor_cipher_order);
 	PATCH(ssl_use_sslv2);
 	PATCH(etag_use_inode);
 	PATCH(etag_use_mtime);
@@ -383,6 +387,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
 #endif
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
 				PATCH(ssl_ca_file);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
+				PATCH(ssl_honor_cipher_order);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
 				PATCH(ssl_use_sslv2);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
diff --git a/src/network.c b/src/network.c
index b362129..be452a6 100644
--- a/src/network.c
+++ b/src/network.c
@@ -539,6 +539,10 @@ int network_init(server *srv) {
 						ERR_error_string(ERR_get_error(), NULL));
 				return -1;
 			}
+
+			if (s->ssl_honor_cipher_order) {
+				SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+			}
 		}
 
 		if (!buffer_is_empty(s->ssl_ca_file)) {
++++++ lighttpd-1.4.x_mod_auth_signedness_error.patch ++++++
commit 1adaac589ced706e1badd751f54390086b1d0767
Author: Marcus Rückert 
Date:   Tue Dec 20 13:08:51 2011 +0100

    - merge 6c9dff7cda6593d9a566413347dd5adfe80c86a8
      [mod_auth] Fix signedness error in http_auth (fixes #2370,
      CVE-2011-4362)

diff --git a/src/http_auth.c b/src/http_auth.c
index 0c0c4a5..6609dc7 100644
--- a/src/http_auth.c
+++ b/src/http_auth.c
@@ -89,7 +89,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) {
 	ch = in[0];
 	/* run through the whole string, converting as we go */
 	for (i = 0; i < in_len; i++) {
-		ch = in[i];
+		ch = (unsigned char) in[i];
 
 		if (ch == '\0') break;
 
diff --git a/tests/mod-auth.t b/tests/mod-auth.t
index 475a5f6..89ead9d 100755
--- a/tests/mod-auth.t
+++ b/tests/mod-auth.t
@@ -8,7 +8,7 @@ BEGIN {
 
 use strict;
 use IO::Socket;
-use Test::More tests => 14;
+use Test::More tests => 15;
 use LightyTest;
 
 my $tf = LightyTest->new();
@@ -25,6 +25,14 @@ ok($tf->handle_http($t) == 0, 'Missing Auth-token');
 
 $t->{REQUEST}  = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
+
+$t->{REQUEST}  = ( <

    

commit lighttpd for openSUSE:11.4

root＠hilbert.suse.de