Hello community,
here is the log from the commit of package lighttpd for openSUSE:Factory checked in at 2013-10-06 14:29:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lighttpd (Old)
and /work/SRC/openSUSE:Factory/.lighttpd.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lighttpd"
Changes:
--------
--- /work/SRC/openSUSE:Factory/lighttpd/lighttpd.changes 2013-06-28 17:46:27.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.lighttpd.new/lighttpd.changes 2013-10-06 14:29:01.000000000 +0200
@@ -1,0 +2,35 @@
+Fri Sep 27 14:46:14 UTC 2013 - stbuehler@web.de
+
+- update to 1.4.33:
+ - mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex)
+ - fix handling of If-Modified-Since if If-None-Match is present (don't return 412 for date parsing errors);
+ follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags.
+ - [mod_fastcgi,log] support multi line logging (fixes #2252)
+ - call ERR_clear_error only for ssl connections in CON_STATE_ERROR
+ - reject non ASCII characters in HTTP header names
+ - [mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes #2483)
+ - [mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn't use any salt, md5 with salt is probably better.
+ - [mod_auth] fix base64_decode (#2484)
+ - fix some bugs found with canalyze (fixes #2484, thx Zhenbo Xu)
+ - fix undefined stuff found with clang
+ - [cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add -Wl,--as-needed to extra warnings (fixes #2448)
+ - [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)
+ - [auto* build] simplify autogen.sh, handle automake 1.13 test running (fixes #2490)
+ - [mod_userdir] add userdir.active option, "enabled" by default
+ - [core] return 501 Not Implemented in static file mode for all methods except GET/POST/HEAD/OPTIONS
+ - [core] recognize more http methods to forward to backends (fixes #2346)
+ - [ssl] use DH only if openssl supports it (fixes #2479)
+ - [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470)
+ - [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
+ - [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
+ - [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
+ - [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495)
+ - [auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)
+ - [core] remove requirement that default doc-root has to exist, there are reasonable scenarios not requiring static files at all
+ - [core] check whether server.chroot exists
+ - [mod_simple_vhost] fix cache; skip module if simple-vhost.server-root is empty (thx rm for reporting)
+ - [mod_accesslog] add accesslog.syslog-level option (fixes #2480)
+ - [core] allow files to be used as document-root (fixes #2475)
+ - [core] set signal handlers before forking child processes in modules/plugins_call_set_defaults (fixes #2502)
+
+-------------------------------------------------------------------
Old:
----
lighttpd_1.4.31-1.debian.tar.gz
lighttpd_1.4.32-0.1.debian.tar.gz
lighttpd_1.4.32-0.1.dsc
lighttpd_1.4.32.orig.tar.gz
New:
----
lighttpd_1.4.33-0.1.debian.tar.gz
lighttpd_1.4.33-0.1.dsc
lighttpd_1.4.33.orig.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lighttpd.spec ++++++
--- /var/tmp/diff_new_pack.pUw1Fd/_old 2013-10-06 14:29:02.000000000 +0200
+++ /var/tmp/diff_new_pack.pUw1Fd/_new 2013-10-06 14:29:02.000000000 +0200
@@ -17,11 +17,13 @@
Name: lighttpd
-Version: 1.4.32
+Version: 1.4.33
Release: 0
#
%define pkg_name lighttpd
%define pkg_user lighttpd
+%define pkg_version 1.4.33
+%define deb_version 1.4.33
%define pkg_home /var/lib/%{pkg_name}
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -40,6 +42,8 @@
BuildRequires: pkgconfig
BuildRequires: pwdutils
BuildRequires: zlib-devel
+# extract upstream tar.xz:
+BuildRequires: xz
#
%define with_tests 1
%define with_enh_webdav 1
@@ -94,7 +98,7 @@
#
Url: http://www.lighttpd.net/
# Source: http://www.lighttpd.net/download/%{pkg_name}-%{version}.tar.bz2
-Source: lighttpd_%{version}.orig.tar.gz
+Source: lighttpd_%{deb_version}.orig.tar.xz
Source1: %{pkg_name}.init
Source2: %{pkg_name}.sysconfig
Source4: lightytest.sh
@@ -102,7 +106,7 @@
Source6: lighttpd-ssl.SuSEfirewall
Source7: lighttpd.logrotate
# this is just dummy to pass the check for factory and still have one package for deb and rpm
-Source99: lighttpd_1.4.32-0.1.debian.tar.gz
+Source99: lighttpd_1.4.33-0.1.debian.tar.gz
Patch: lighttpd-1.4.13_geoip.patch
Patch1: lighttpd-automake.patch
# workaround -- disable parallel tests, broken with gcc 4.8
@@ -291,7 +295,7 @@
Jan Kneschke
%prep
-%setup
+%setup -n %{pkg_name}-%{pkg_version}
%if 0%{?with_geoip}
%patch
%if 0%{?suse_version} > 1210
++++++ lighttpd_1.4.32-0.1.debian.tar.gz -> lighttpd_1.4.33-0.1.debian.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/NEWS new/debian/NEWS
--- old/debian/NEWS 2012-11-21 09:21:26.000000000 +0100
+++ new/debian/NEWS 2013-09-27 16:41:10.000000000 +0200
@@ -1,3 +1,21 @@
+lighttpd (1.4.31-4) unstable; urgency=high
+
+ The default Debian configuration file for PHP invoked from FastCGI was
+ vulnerable to local symlink attacks and race conditions when an attacker
+ manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
+ before the web server started. Possibly the web server could have been
+ tricked to use a forged PHP.
+
+ The problem lies in the configuration, thus this update will fix the problem
+ only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
+ If you did, dpkg will not overwrite your changes. Please make sure to set
+
+ "socket" => "/var/run/lighttpd/php.socket"
+
+ yourself in that case.
+
+ -- Arno Töll Thu, 14 Mar 2013 01:57:42 +0100
+
lighttpd (1.4.30-1) unstable; urgency=medium
This releases includes an option to force Lighttpd to honor the cipher order
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/changelog new/debian/changelog
--- old/debian/changelog 2012-11-21 10:06:54.000000000 +0100
+++ new/debian/changelog 2013-09-27 16:41:10.000000000 +0200
@@ -1,15 +1,46 @@
-lighttpd (1.4.32-0.1) UNRELEASED; urgency=low
+lighttpd (1.4.33-0.1) unstable; urgency=low
* Non-maintainer upload.
- * New upstream release, fixing CVE-2012-5533
- * squeeze compatible hardening
+ * Imported Upstream version 1.4.33~rc1-r2901
+ * Fix problem with perl exec in test suite
+ * Imported Upstream version 1.4.33
+ + Drop patch for test suite - merged upstream
+
+ -- Stefan Bühler Fri, 27 Sep 2013 16:38:51 +0200
+
+lighttpd (1.4.32-0.2) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+ * Arno Töll:
+ + Drop the connection-dos.patch - merged upstream.
+ + Fix "mod_extforward missing configuration file": ship requested
+ configuration file (Closes: #697304)
+ + Remove access.conf, an obsolete conffiles as we should have done since
+ 2010 (Closes: #703215)
+ + Push debhelper's compat mode to 9, the use of maintscript helper requires
+ 8.1 so we had to push the debhelper b-d anyway.
+
+ -- Stefan Bühler Fri, 30 Aug 2013 19:56:04 +0200
+
+lighttpd (1.4.31-4) unstable; urgency=high
+
+ * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
+ world-writable which may cause security implications if an attacker
+ manages to control /tmp/php.socket before the web server (re-)starts.
+ * Switch VCS to git
+ * Push standards version (no changes)
+
+ -- Arno Töll Thu, 14 Mar 2013 02:20:07 +0100
+
+lighttpd (1.4.31-3) unstable; urgency=high
- Arno Töll:
* Fix "configuration files refer to wrong path for documentation"
by merging a patch supplied by Denis Laxalde
- (Closes: #676641)
+ (Closes: #676641)
+ * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending
+ faulty Connection headers
- -- Stefan Bühler Wed, 21 Nov 2012 09:25:37 +0100
+ -- Arno Töll Wed, 21 Nov 2012 14:42:32 +0100
lighttpd (1.4.31-1) unstable; urgency=low
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/compat new/debian/compat
--- old/debian/compat 2012-11-21 09:21:26.000000000 +0100
+++ new/debian/compat 2013-09-27 16:41:10.000000000 +0200
@@ -1 +1 @@
-8
+9
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/conf-available/11-extforward.conf new/debian/conf-available/11-extforward.conf
--- old/debian/conf-available/11-extforward.conf 1970-01-01 01:00:00.000000000 +0100
+++ new/debian/conf-available/11-extforward.conf 2013-09-27 16:41:10.000000000 +0200
@@ -0,0 +1,6 @@
+# -*- depends: accesslog -*-
+
+server.modules += ( "mod_extforward" )
+
+# extforward.headers = ("X-Cluster-Client-Ip")
+# extforward.forwarder = ("10.0.0.232" => "trust")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/conf-available/15-fastcgi-php.conf new/debian/conf-available/15-fastcgi-php.conf
--- old/debian/conf-available/15-fastcgi-php.conf 2012-11-21 09:21:26.000000000 +0100
+++ new/debian/conf-available/15-fastcgi-php.conf 2013-09-27 16:41:10.000000000 +0200
@@ -6,7 +6,7 @@
fastcgi.server += ( ".php" =>
((
"bin-path" => "/usr/bin/php-cgi",
- "socket" => "/tmp/php.socket",
+ "socket" => "/var/run/lighttpd/php.socket",
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/control new/debian/control
--- old/debian/control 2012-11-21 09:21:26.000000000 +0100
+++ new/debian/control 2013-09-27 16:41:10.000000000 +0200
@@ -6,17 +6,20 @@
Olaf van der Spek ,
Arno Töll
Homepage: http://lighttpd.net/
-Build-Depends: debhelper (>= 8), mime-support, libssl-dev,
+Build-Depends: debhelper (>= 9), mime-support, libssl-dev,
zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev,
libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev,
liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev,
- libxml2-dev, libkrb5-dev, perl
-Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/
-Standards-Version: 3.9.3.1
+ libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~)
+Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git
+Standards-Version: 3.9.4
Package: lighttpd
Architecture: any
+# Omitting this triggers a Lintian error
+# That's a false positive these days
+Pre-Depends: ${misc:Pre-Depends}
Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends},
lsb-base (>= 3.2-14) | systemd (>= 29.1), mime-support,
libterm-readline-perl-perl
@@ -33,6 +36,7 @@
* authentication (plain files, htpasswd, LDAP)
* transparent content compression
* conditional configuration
+ * HTTP proxying
and configuration is straight-forward and easy.
Package: lighttpd-doc
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/gbp.conf new/debian/gbp.conf
--- old/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ new/debian/gbp.conf 2013-09-27 16:41:10.000000000 +0200
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.maintscript new/debian/lighttpd.maintscript
--- old/debian/lighttpd.maintscript 1970-01-01 01:00:00.000000000 +0100
+++ new/debian/lighttpd.maintscript 2013-09-27 16:41:10.000000000 +0200
@@ -0,0 +1 @@
+rm_conffile /etc/lighttpd/conf-available/10-access.conf 1.4.31-4 lighttpd
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/lighttpd.postinst new/debian/lighttpd.postinst
--- old/debian/lighttpd.postinst 2012-11-21 09:21:26.000000000 +0100
+++ new/debian/lighttpd.postinst 2013-09-27 16:41:10.000000000 +0200
@@ -8,6 +8,14 @@
then
cp /usr/share/lighttpd/index.html /var/www/index.lighttpd.html
fi
+
+ # Remove a possibly dangling symlink for the obsolete conffile
+ if dpkg --compare-versions "$2" lt-nl "1.4.32-1" && \
+ [ -L /etc/lighttpd/conf-enabled/10-access.conf -a \
+ ! -f /etc/lighttpd/conf-available/10-access.conf ]; then
+ rm -f /etc/lighttpd/conf-enabled/10-access.conf
+ fi
+
fi
# dh_installinit will call this function upon failure of rc.d invocation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/debian/rules new/debian/rules
--- old/debian/rules 2012-11-21 10:15:17.000000000 +0100
+++ new/debian/rules 2013-09-27 16:41:10.000000000 +0200
@@ -1,15 +1,9 @@
#!/usr/bin/make -f
-CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
-CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
-LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
-export CFLAGS CPPFLAGS LDFLAGS
-
%:
dh $@
override_dh_auto_configure:
-
dh_auto_configure -- \
--disable-dependency-tracking \
--libdir=/usr/lib/lighttpd \
@@ -25,7 +19,8 @@
--with-openssl \
--with-pcre \
--with-webdav-locks \
- --with-webdav-props
+ --with-webdav-props \
+ $(shell dpkg-buildflags --export=configure)
override_dh_fixperms:
dh_fixperms
++++++ lighttpd_1.4.32-0.1.dsc -> lighttpd_1.4.33-0.1.dsc ++++++
--- /work/SRC/openSUSE:Factory/lighttpd/lighttpd_1.4.32-0.1.dsc 2013-06-28 17:46:27.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.lighttpd.new/lighttpd_1.4.33-0.1.dsc 2013-10-06 14:29:01.000000000 +0200
@@ -1,18 +1,15 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
Format: 3.0 (quilt)
Source: lighttpd
Binary: lighttpd, lighttpd-doc, lighttpd-mod-mysql-vhost, lighttpd-mod-trigger-b4-dl, lighttpd-mod-cml, lighttpd-mod-magnet, lighttpd-mod-webdav
Architecture: any all
-Version: 1.4.32-0.1
+Version: 1.4.33-0.1
Maintainer: Debian lighttpd maintainers
Uploaders: Krzysztof Krzyżaniak (eloy) , Olaf van der Spek , Arno Töll
Homepage: http://lighttpd.net/
-Standards-Version: 3.9.3.1
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/
-Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk
-Build-Depends: debhelper (>= 8), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl
+Standards-Version: 3.9.4
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git
+Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git
+Build-Depends: debhelper (>= 9), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~)
Package-List:
lighttpd deb httpd optional
lighttpd-doc deb doc optional
@@ -22,29 +19,11 @@
lighttpd-mod-trigger-b4-dl deb httpd optional
lighttpd-mod-webdav deb httpd optional
Checksums-Sha1:
- 7177a9350f530f89c4538c75d08cfbc403844a5c 846615 lighttpd_1.4.32.orig.tar.gz
- 8a7ecb534e425a72c6b7e6822798d442c00bf0b0 27113 lighttpd_1.4.32-0.1.debian.tar.gz
+ f309708105aadffba229a944d4c32423132119a5 555248 lighttpd_1.4.33.orig.tar.xz
+ f5ce6b8f6bae914c425ab7d7224136ddff535ba0 28109 lighttpd_1.4.33-0.1.debian.tar.gz
Checksums-Sha256:
- 0765e07dac432393dea3950639d5ba646ded95a9408ad002e54b3353ab6b9645 846615 lighttpd_1.4.32.orig.tar.gz
- 56f480e6d5f13a61ca1a671c39b7f2b53a7f96ab23c3e85715afd3b824d3e77d 27113 lighttpd_1.4.32-0.1.debian.tar.gz
+ 2886aedc23857ca44df91b8fe6f36059ec82a859ae0eb230220e42abc331610c 555248 lighttpd_1.4.33.orig.tar.xz
+ e4c323876aeaf3dd06362874540b675d413fd28a7010d7caa1862e6faa255849 28109 lighttpd_1.4.33-0.1.debian.tar.gz
Files:
- d2eaf2ed77670bd25597f61c3a28c074 846615 lighttpd_1.4.32.orig.tar.gz
- 6528cfe27a137f107a834f4ca560f40b 27113 lighttpd_1.4.32-0.1.debian.tar.gz
-
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.12 (GNU/Linux)
-
-iQIcBAEBCAAGBQJQrJvoAAoJEODn0BcelbrXsOkP/2kmQwYGmfaVtJVhsY+zUHrG
-WrdwuZxIKuADj1CAUNPJzZdVU7rNs1nBn/qJCmyGYhciBrSq9M6DdqM727q7aSKd
-O4sH1TsaPIpTknj6oUnX1bM+2o+3miH9uFxVAXrJvbfAlD5tQ0nOiG87LNlFw1rk
-oVEyT6VD84cusyYF8QKyR9l7QL9D5EmnLhZ14XKHkN3iWf5G3YmwAA3JRBL3/Ig3
-IMQVUBogQSIuJ76QtmLtisSRpfyvocFjzsUZcT9Q2Qygxlg4PF6rH9fSDJZjLSX6
-dd/DmDb/oV3GQuscr+LLoYVcyR8YaFAm/u6nKFhPWAqrQPKSLiSjbWa6vUefAF9r
-40xhtwU6nVM+QKSIWE5e4kHnkAlNmfrk+Oi3XLLI5raWYKgh0ZMWh0nYCRfmbceG
-l0+xOkAciPahFPzujHCaYkXYYuXZFvFl8DbJY6aVZVxMzxG75I/Lo/Z9cglQMgdI
-UHGNsjkR92VVEKqqCgx5TlDylKSOVJs4YeGZcnXEBX2A0dJOTr3BNzl+ceDcxUSn
-6FFAZVnL3riK8SaCaMZpcneZQBEdg3uIprAndAOGEWAgg5d+ZZVEQfEMsbFh4+JP
-rz0QlXFqhZ2g+9hc5Y/WldAfXU4gW7vW7NbXGSuRva9mkad89Ti3uldGRtjejBD/
-Uh0Jc7Ix1XN94yfcvNtp
-=JkaD
------END PGP SIGNATURE-----
+ 992cf8668812c5e4382d43dadd2c5f16 555248 lighttpd_1.4.33.orig.tar.xz
+ dccca47a9cca43b7d295289f065afca8 28109 lighttpd_1.4.33-0.1.debian.tar.gz
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org