Hello community, here is the log from the commit of package lighttpd for openSUSE:Factory checked in at Tue Apr 20 02:27:58 CEST 2010. -------- --- lighttpd/lighttpd.changes 2008-11-24 17:40:13.000000000 +0100 +++ /mounts/work_src_done/STABLE/lighttpd/lighttpd.changes 2010-04-15 18:11:03.000000000 +0200 @@ -1,0 +2,330 @@ +Thu Apr 15 15:52:49 UTC 2010 - mt@suse.de + +- Applied patch fixing start failure with enabled SSL because + of not properly checked SSL_CTX_set_options() return value + (http://redmine.lighttpd.net/issues/2157). + +------------------------------------------------------------------- +Thu Feb 11 15:49:56 UTC 2010 - mrueckert@suse.de + +- update 1.4.26 + - Fix request parser to handle packets with splitted \r\n\r\n + (fixes #2105) + - Remove dependency on automake >= 1.11 with m4_ifdef check + - mod_accesslog: support %e (fixes #2113, thx presbrey) + - Fix mod_cgi cgi.execute-x-only option in global block + - mod_fastcgi: x-sendfile2 parse error debugging + - Fix mod_proxy dead host detection if connect() fails + - Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, + found by Rodrigo, fixes #2158, #2159) + - Fix segfault with broken rewrite/redirect patterns (fixes + #2140, found by crypt) + - Append to previous buffer in con read, fix DoS/OOM + vulnerability (fixes #2147, found by liming, CVE-2010-0295) + - Fix HUP detection in close-state if event-backend doesn't + support FDEVENT_HUP (like select or poll on FreeBSD) +- dropping fix-slow-request-dos-in-1.4.x.patch: + included in release + +------------------------------------------------------------------- +Mon Feb 1 17:54:57 CET 2010 - mrueckert@suse.de + +- added fix-slow-request-dos-in-1.4.x.patch: + fix a bug that makes lighttpd allocate too much memory + for handling a request. (bnc#573948) CVE-2010-0295 + +------------------------------------------------------------------- +Sun Nov 22 17:00:29 UTC 2009 - stbuehler@web.de + +- update 1.4.25 + - mod_magnet: fix pairs() for normal tables and strings (fixes + #1307) + - mod_magnet: add traceback for printing lua errors + - mod_rewrite: fix compile error if compiled without pcre + - disable warning "CLOSE-read" (fixes #2091) + - mod_rrdtool: fix creating file if it doesn't exist (#1788) + - reset tlsext_server_name in connection_reset - fixes random + hostnames in the $HTTP["host"] conditional + - export some SSL_CLIENT_* vars for client cert validation + (fixes #1288, thx presbrey) + - mod_fastcgi: fix mod_fastcgi packet parsing + - mod_fastcgi: Don't reconnect after connect() succeeded + (fixes #2096) + - Fix configure.ac to allow autoreconf, also enables make V=0 +- dropped lighttpd-1.4.24_mod_magnet_regression.patch: + included in update +- added lighttpd-configure_ac.patch: + - remove fancy options which are not supported in older + autoconf versions +- drop '-fi' option from autoreconf, so the libtool script + isn't overwritten (as the overwritten one was broken). + autoreconf is still needed for mod_geoip +- drop --with-webdav from ./configure (not an option) +- remove spawn-fcgi handling as it is removed from the source now +- remove ChangeLog from %docs (has been removed upstream) +- man page was moved from section 1 to 8 + +------------------------------------------------------------------- +Mon Oct 26 18:40:56 CET 2009 - mrueckert@suse.de + +- update 1.4.24 + - Add T_CONFIG_INT for bigger integers from the config + (needed for #1966) + - Use unsigned int (and T_CONFIG_INT) for max_request_size + - Use unsigned int for secdownload.timeout (fixes #1966) + - Keep url/host values from connection to display information + while keep-alive in mod_status (fixes #1202) + - Add server.breakagelog, a "special" stderr (fixes #1863) + - Fix config evaluation for debug.log-timeouts option (#1529) + - Add "cgi.execute-x-only" to mod_cgi, requires +x for cgi + scripts (fixes #2013) + - Fix FD_SETSIZE comparision warnings + - Add "lua-5.1" to searched pkg-config names for lua + - Fix unused function webdav_lockdiscovery in mod_webdav + - cmake: Fix crypt lib check + - cmake: Add -export-dynamic to link flags, fixes build on + FreeBSD + - Set FD_CLOEXEC for bound sockets before pipe-logger forks + (fixes #2026) + - Reset ignored signals to SIG_DFL before exec() in fastcgi/scgi + (fixes #2029) + - Show "no uri specified -> 400" error only when + "debug.log-request-header-on-error" is enabled (fixes #2030) + - Fix hanging connection in mod_scgi (fixes #2024) + - Allow digits in hostnames in more places (fixes #1148) + - Use connection_reset instead of handle_request_done for cleanup + callbacks + - Change mod_expire to append Cache-Control instead of + overwriting it (fixes #1997) + - Allow all comparisons for $SERVER["socket"] - only bind for + "==" + - Remove strptime failed message (fixes #2031) + - Fix issues found with clang analyzer + - Try to fix server.tag issue with localized svnversion + - Fix handling network-write return values (#2024) + - Use disable-time in fastcgi for all disables after errors, + default is 1sec (fixes #2040) + - Remove adaptive spawning code from fastcgi (was disabled for a + long time) + - Allow mod_mysql_vhost to use stored procedures (fixes #2011, + thx Ben Brown) + - Fix ipv6 in mod_proxy (fixes #2043) + - Print errors from include_shell to stderr + - Set tm.tm_isdst = 0 before mktime() (fixes #2047) + - Use linux-epoll by default if available (fixes #2021, thx Olaf + van der Spek) + - Print an error if you use too many captures in a regex pattern + (fixes #2059) + - Combine Cache-Control header value in mod_expire to existing + HTTP header if header already added by other modules + (fixes #2068) + - Remember keep-alive-idle in separate variable (fixes #1988) + - Fix header inclusion order, always include "config.h" before + any system header + - mod_webdav: Patch to skip login information for domain part of + Destination field (fixes #1793) + - mod_webdav: Delete old properties before updating new for MOVE + (fixes #1317) + - Read hostname from absolute uris in the request line + (fixes #1937) + - mod_fastcgi: don't disable backend if disable-time is 0 + (fixes #1825) + - mod_compress: match partial+full content-type (fixes #1552) + - mod_fastcgi: fix is_local detection, respawn backends if + bin-path is set (fixes #897) + - Fix linger-on-close behaviour to avoid rare failure conditions + (was r2636, fixes #657) + - mod_fastcgi: restart local procs immediately after they + terminated, fix local procs handling + - Fix segfault on invalid config "duplicate else conditions" + (fixes #2065) + - mod_usertrack: Use T_CONFIG_INT for max-age, solves range + problem (#1455) + - mod_accesslog: configurable timestamp logging (fixes #1479) + - always define _GNU_SOURCE + - Add some iterators for mod_magnet (fixes #1307) + - Fix close_timeout_ts trigger (should finally fix lingering + close) + - mod_rewrite: add url.rewrite-[repeat-]if-not-file to rewrite if + file doesn't exist or is not a regular file (fixes #985, thx + lucas aerbeydt) + - Add TLS servername indication (SNI) support (fixes #386, thx + Peter Colberg <peter@colberg.org>) + - Add SSL Client Certificate verification (#1288) + - mod_fastcgi: Fix host->active_procs counter, return 503 if + connect wasn't successful after 5 tries (fixes #1825) + - mod_accesslog: escape special characters (fixes #1551, thx icy) + - fix mod_webdav crash from #1793 (fixes #2084, thx hiroya) + - Don't print ssl error if client didn't support TLS SNI + - Fix linger close timeout handling, drop timeout to 5 seconds + (fixes #2086) + - Fix broken return values from int to enum in mod_fastcgi +- added lighttpd-1.4.24_mod_magnet_regression.patch: + * mod_magnet: fix pairs() for normal tables and strings + (fixes #1307) + * mod_magnet: add traceback for printing lua errors + +------------------------------------------------------------------- +Wed Jun 24 18:23:56 CEST 2009 - mrueckert@suse.de + +- update to 1.4.23 + - Added some extra warning options in cmake and fix the resulting + warnings (unused/static functions) + - New lighttpd man page (moved it to section 8) (fixes #1875) + - Create rrd file for empty rrdfile in mod_rrdtool (#1788) + - Fix workaround for incorrect path info/scriptname if fastcgi + prefix is "/" (fixes #729) + - Finally removed spawn-fcgi + - Allow xattr to overwrite mime type (fixes #1929) + - Remove link from errormsg about fastcgi apps (fixes #1942) + - Strip trailing dot from "Host:" header + - Remove the optional port info from SERVER_NAME (thx Mr_Bond) + - Fix mod_proxy RoundRobin (off by one problem if only one + backend is up) + - Rename configure.in to configure.ac, with small cleanups (fixes + #1932) + - Add proper SUID bit detection (fixes #416) + - Check for regular file in mod_cgi, so we don't try to start + directories + - Include mmap.h from chunk.h to fix some problems with #define + mmap mmap64 (fixes #1923) + - Add support for pipe logging for server.errorlog (fixes #296) + - Add revision number to package version for svn/git checkouts + - Use server.tag for SERVER_SOFTWARE if configured (fixes #357) + - Fix trailing zero char in REQUEST_URI after "strip-request-uri" + in mod_fastcgi + - mod_magnet: Add env["request.remote-ip"] (fixes #1740) + - mod_magnet: Add env["request.path-info"] ++++ 133 more lines (skipped) ++++ between lighttpd/lighttpd.changes ++++ and /mounts/work_src_done/STABLE/lighttpd/lighttpd.changes calling whatdependson for head-i586 Old: ---- lighttpd-1.4.20.tar.bz2 New: ---- lighttpd-1.4.26.tar.bz2 lighttpd-ssl-retval-fix.patch lighttpd_1.4.26-1.1~backport1.dsc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lighttpd.spec ++++++ --- /var/tmp/diff_new_pack.ovEA7U/_old 2010-04-20 02:27:34.000000000 +0200 +++ /var/tmp/diff_new_pack.ovEA7U/_new 2010-04-20 02:27:34.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package lighttpd (Version 1.4.20) +# spec file for package lighttpd (Version 1.4.26) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,15 +19,15 @@ Name: lighttpd -Version: 1.4.20 -Release: 2 +Version: 1.4.26 +Release: 1 # %define pkg_name lighttpd %define pkg_user lighttpd %define pkg_home /var/lib/%{pkg_name} # Group: Productivity/Networking/Web/Servers -License: BSD 3-Clause +License: BSD3c # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: FastCGI-devel e2fsprogs-devel fam-devel gdbm-devel libattr-devel libmemcache-devel libxml2-devel mysql-devel openldap2-devel pcre-devel pkgconfig pwdutils zlib-devel @@ -69,16 +69,17 @@ BuildRequires: php5-fastcgi %endif # -%if 0%{?suse_version} == 930 || 0%{?sles_version} == 9 +%if 0%{?suse_version} < 1000 BuildRequires: libstdc++-devel %endif %if 0%{?suse_version} > 1020 BuildRequires: libbz2-devel %endif -%if 0%{?suse_version} > 1000 +%if 0%{?suse_version} >= 1010 Recommends: logrotate %endif PreReq: %insserv_prereq %fillup_prereq pwdutils +Requires: spawn-fcgi # Url: http://www.lighttpd.net/ Source: http://www.lighttpd.net/download/%{pkg_name}-%{version}.tar.bz2 @@ -90,6 +91,7 @@ Source6: lighttpd-ssl.SuSEfirewall Source7: lighttpd.logrotate Patch: lighttpd-1.4.13_geoip.patch +Patch1: lighttpd-ssl-retval-fix.patch # Summary: A Secure, Fast, Compliant, and Very Flexible Web Server @@ -108,7 +110,7 @@ Jan Kneschke <jan@kneschke.de> %package mod_cml -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Group: Productivity/Networking/Web/Servers Summary: CML (Cache Meta Language) module for Lighttpd @@ -137,7 +139,7 @@ Jan Kneschke <jan@kneschke.de> %package mod_magnet -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Group: Productivity/Networking/Web/Servers Summary: A module to control the request handling in lighttpd @@ -154,7 +156,7 @@ Jan Kneschke <jan@kneschke.de> %package mod_mysql_vhost -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Group: Productivity/Networking/Web/Servers Summary: MySQL based virtual hosts (vhosts) module for Lighttpd @@ -170,7 +172,7 @@ Jan Kneschke <jan@kneschke.de> %package mod_trigger_b4_dl -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Group: Productivity/Networking/Web/Servers Summary: Another anti hot-linking module for Lighttpd @@ -197,7 +199,7 @@ Jan Kneschke <jan@kneschke.de> %package mod_rrdtool -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Requires: rrdtool Group: Productivity/Networking/Web/Servers @@ -219,7 +221,7 @@ %if 0%{?with_geoip} %package mod_geoip -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Group: Productivity/Networking/Web/Servers Summary: A Secure, Fast, Compliant, and Very Flexible Web Server @@ -244,7 +246,7 @@ %endif %package mod_webdav -License: BSD 3-Clause +License: BSD3c Requires: %{name} = %{version} Group: Productivity/Networking/Web/Servers Summary: WebDAV module for Lighttpd @@ -281,10 +283,11 @@ %if 0%{?with_geoip} %patch %endif +%patch1 -p1 %build %if 0%{?with_geoip} -autoreconf -fi +autoreconf %endif export CFLAGS="%{optflags} -DLDAP_DEPRECATED -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -std=gnu99" %if %suse_version > 1000 @@ -303,7 +306,6 @@ --with-lua \ --with-memcache \ --with-bzip2 \ - --with-webdav \ %if 0%{?with_enh_webdav} --with-webdav-props \ --with-webdav-locks \ @@ -443,9 +445,9 @@ %{_libdir}/%{pkg_name}/mod_status.so %{_libdir}/%{pkg_name}/mod_userdir.so %{_libdir}/%{pkg_name}/mod_usertrack.so -%{_mandir}/man1/*.1* +%{_mandir}/man8/*.8* %config(noreplace) %{_sysconfdir}/init.d/%{pkg_name} -%doc AUTHORS ChangeLog NEWS README +%doc AUTHORS NEWS README %doc doc/*.dot %doc doc/spawn-php.sh %doc doc/accesslog.txt @@ -512,6 +514,7 @@ %config(noreplace) %attr(640,root,%{pkg_user}) %{_sysconfdir}/%{pkg_name}/conf.d/trigger_b4_dl.conf %{_libdir}/%{pkg_name}/mod_trigger_b4_dl.so %doc doc/trigger_b4_dl.txt + %if 0%{?with_geoip} %files mod_geoip ++++++ lighttpd-1.4.20.tar.bz2 -> lighttpd-1.4.26.tar.bz2 ++++++ ++++ 98608 lines of diff (skipped) ++++++ lighttpd-ssl-retval-fix.patch ++++++ diff -purN orig/src/network.c lighttpd-1.4.25/src/network.c --- orig/src/network.c 2010-01-28 10:43:33.829209750 -0500 +++ lighttpd-1.4.25/src/network.c 2010-01-28 10:44:22.639208732 -0500 @@ -525,7 +525,7 @@ int network_init(server *srv) { if (!s->ssl_use_sslv2) { /* disable SSLv2 */ - if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { + if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ERR_error_string(ERR_get_error(), NULL)); return -1; ++++++ lighttpd_1.4.26-1.1~backport1.dsc ++++++ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.0 Source: lighttpd Binary: lighttpd, lighttpd-doc, lighttpd-mod-mysql-vhost, lighttpd-mod-trigger-b4-dl, lighttpd-mod-cml, lighttpd-mod-magnet, lighttpd-mod-webdav Architecture: any Version: 1.4.26-1.1~backport1 Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org> Uploaders: Krzysztof Krzyżaniak (eloy) <eloy@debian.org>, Torsten Marek <shlomme@debian.org>, Franz Pletz <fpletz@franz-pletz.org>, Pierre Habouzit <madcoder@debian.org> Homepage: http://www.lighttpd.net Standards-Version: 3.8.3 Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk Build-Depends: debhelper (>= 5.0.0), cdbs, mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev | libmysqlclient15-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl Checksums-Sha1: c22642dc3616043293fb895b9f049b9270dbb2a0 780352 lighttpd_1.4.26.orig.tar.gz 6de3887a9d9c979fdebfc7f753936fd8aa59187e 21711 lighttpd_1.4.26-1.1~backport1.diff.gz Checksums-Sha256: 08fc11864a0ad6d2871f32e6d0b0eaeb070f78698a72959f812526173145986e 780352 lighttpd_1.4.26.orig.tar.gz 3d9568c90c5dd230adf175b00f7dece9801a380181b303bee85c42c788ef5cf3 21711 lighttpd_1.4.26-1.1~backport1.diff.gz Files: 3ce5be17a4dac3c384a8a452c664b840 780352 lighttpd_1.4.26.orig.tar.gz cffb18f22518d982a9567aefb327d607 21711 lighttpd_1.4.26-1.1~backport1.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkty6hgACgkQgBIc0keWidjxIQCgkZaWH0g3pYnDiz3v+azp5AM4 XocAn0qJCxqT0DRrFgv3WRb2HLcFzLpN =IszI -----END PGP SIGNATURE----- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org