pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2008Q2]: pkgsrc/www/lighttpd Pullup ticket #2538 - requested b...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/929aaa04cd57
branches:  pkgsrc-2008Q2
changeset: 544336:929aaa04cd57
user:      tron <tron%pkgsrc.org@localhost>
date:      Fri Oct 03 11:12:18 2008 +0000

description:
Pullup ticket #2538 - requested by taca
lighttpd: security update

Revisions pulled up:
- www/lighttpd/Makefile                 1.22
- www/lighttpd/distinfo                 1.15
- www/lighttpd/patches/patch-aa         delete
- www/lighttpd/patches/patch-ac         delete
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Fri Oct  3 01:08:36 UTC 2008

Modified Files:
        pkgsrc/www/lighttpd: Makefile distinfo
Removed Files:
        pkgsrc/www/lighttpd/patches: patch-aa patch-ac

Log Message:
Update lighttpd to 1.4.20.

This contains security fix: http://trac.lighttpd.net/trac/ticket/1774

- 1.4.20 -

  * Fix mod_compress to compile with old gcc version (#1592)
  * Fix mod_extforward to compile with old gcc version (#1591)
  * Update documentation for #1587
  * Fix #285 again: read error after SSL_shutdown (thx marton.illes%balabit.com@localhost) and clear the error queue before some other calls (CVE-2008-1531)
  * Fix mod_magnet: enable "request.method" and "request.protocol" in lighty.env (#1308)
  * Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
  * Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small "memleak" (#1628)
  * Don't send empty Server headers (#1620)
  * Fix conditional interpretation of core options
  * Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: "%%" => "%", "$$" => "$"
  * Fix accesslog port (should be port from the connection, not the "server.port") (#1618)
  * Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
  * Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
  * Handle EINTR in mod_cgi during write() (#1640)
  * Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
  * Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn't append an error page
  * Remove lighttpd.spec* from source, fixing all problems with it ;-)
  * Do not rely on PATH_MAX (POSIX does not require it) (#580)
  * Disable logging to access.log if filename is an empty string
  * Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
  * merge spawn-fcgi changes from trunk (from @2191)
  * let spawn-fcgi propagate exit code from spawned fcgi application
  * close connection after redirect in trigger_b4_dl (thx icy)
  * close connection in mod_magnet if returned status code
  * fix bug with IPv6 in mod_evasive (#1579)
  * fix scgi HTTP/1.* status parsing (#1638), found by met%uberstats.com@localhost
  * [tests] fixed system, use foreground daemons and waitpid
  * [tests] removed pidfile from test system
  * [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi)
  * fixed typo in mod_accesslog (#1699)
  * replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
  * case insensitive match for secdownload md5 token (#1710)
  * Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
  * fixed mod_secdownload problem with unsigned time_t (#1688)
  * handle EAGAIN and EINTR for freebsd sendfile (#1675)
  * Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
  * fixed round-robin balancing in mod_proxy (#1715)
  * fixed EINTR handling for waitpid in mod_fastcgi
  * mod_{fast,s}cgi: overwrite environment variables (#1722)
  * inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631)
  * fixed url encoding to encode more characters (#266)
  * allow digits in [s]cgi env vars (#1712)
  * fixed dropping last character of evhost pattern (#161)
  * print helpful error message on conditionals in global block (#1550)
  * decode url before matching in mod_rewrite (#1720)
  * fixed conditional patching of ldap filter (#1564)
  * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
  * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
  * fixed format string bugs in mod_accesslog for SYSLOG
  * replaced fprintf with log_error_write in fastcgi debug
  * fixed mem leak in ssi expression parser (#1753), thx Take5k
  * hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
  * do not send content-encoding for 304 (#1754), thx yzlai
  * fix segfault for stat_cache(fam) calls with relative path (without '/', can be triggered by x-sendfile) (#1750)
  * fix splitting of auth-ldap filter
  * workaround ldap connection leak if a ldap connection failed (restarting ldap)
  * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
  * fix memleak in request header parsing (#1774, thx qhy)
  * fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!)
  * use decoded url for matching in mod_redirect (#1720)

diffstat:

 www/lighttpd/Makefile         |   5 +-
 www/lighttpd/distinfo         |   8 ++--
 www/lighttpd/patches/patch-aa |  69 -------------------------------------------
 www/lighttpd/patches/patch-ac |  22 -------------
 4 files changed, 6 insertions(+), 98 deletions(-)

diffs (128 lines):

diff -r 32178f8d2d2f -r 929aaa04cd57 www/lighttpd/Makefile
--- a/www/lighttpd/Makefile     Mon Sep 29 13:47:37 2008 +0000
+++ b/www/lighttpd/Makefile     Fri Oct 03 11:12:18 2008 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.21 2008/05/20 14:22:50 joerg Exp $
+# $NetBSD: Makefile,v 1.21.4.1 2008/10/03 11:12:18 tron Exp $
 
-DISTNAME=      lighttpd-1.4.19
-PKGREVISION=   1
+DISTNAME=      lighttpd-1.4.20
 CATEGORIES=    www
 MASTER_SITES=  http://www.lighttpd.net/download/
 
diff -r 32178f8d2d2f -r 929aaa04cd57 www/lighttpd/distinfo
--- a/www/lighttpd/distinfo     Mon Sep 29 13:47:37 2008 +0000
+++ b/www/lighttpd/distinfo     Fri Oct 03 11:12:18 2008 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.14 2008/04/25 19:58:17 joerg Exp $
+$NetBSD: distinfo,v 1.14.4.1 2008/10/03 11:12:18 tron Exp $
 
-SHA1 (lighttpd-1.4.19.tar.gz) = 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
-RMD160 (lighttpd-1.4.19.tar.gz) = 7dbe2a22051e18f4037b48ee4811e2c9738d20cf
-Size (lighttpd-1.4.19.tar.gz) = 815568 bytes
+SHA1 (lighttpd-1.4.20.tar.gz) = 61790c02d9e96c3cb23ffd3907f1caee64c475dd
+RMD160 (lighttpd-1.4.20.tar.gz) = 222e9c69b61467f9376768f92a5eee3add796020
+Size (lighttpd-1.4.20.tar.gz) = 827538 bytes
 SHA1 (patch-aa) = 4e3a6bf761bc0e0b8b2ff75fbec739d2cad145ab
 SHA1 (patch-ab) = b02003db1b2ac978846eb0f7be178b91f59fc176
 SHA1 (patch-ac) = eca334f430362b2095727e28b9cc15f757fd440d
diff -r 32178f8d2d2f -r 929aaa04cd57 www/lighttpd/patches/patch-aa
--- a/www/lighttpd/patches/patch-aa     Mon Sep 29 13:47:37 2008 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-$NetBSD: patch-aa,v 1.9 2008/04/25 19:58:17 joerg Exp $
-
-From SVN: Fix potential DOS by clearing SSL error queue.
-
---- src/connections.c.orig     2008-04-25 18:28:26.000000000 +0200
-+++ src/connections.c
-@@ -199,6 +199,7 @@ static int connection_handle_read_ssl(se
- 
-       /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
- 
-+      ERR_clear_error();
-       do {
-               if (!con->ssl_error_want_reuse_buffer) {
-                       b = buffer_init();
-@@ -1668,19 +1669,47 @@ int connection_state_machine(server *srv
-                       }
- #ifdef USE_OPENSSL
-                       if (srv_sock->is_ssl) {
--                              int ret;
-+                              int ret, ssl_r;
-+                              unsigned long err;
-+                              ERR_clear_error();
-                               switch ((ret = SSL_shutdown(con->ssl))) {
-                               case 1:
-                                       /* ok */
-                                       break;
-                               case 0:
--                                      SSL_shutdown(con->ssl);
--                                      break;
-+                                      ERR_clear_error();
-+                                      if (-1 != (ret = SSL_shutdown(con->ssl))) break;
-+
-+                                      // fall through
-                               default:
--                                      log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
--                                                      SSL_get_error(con->ssl, ret),
--                                                      ERR_error_string(ERR_get_error(), NULL));
--                                      return -1;
-+
-+                                      switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
-+                                      case SSL_ERROR_WANT_WRITE:
-+                                      case SSL_ERROR_WANT_READ:
-+                                              break;
-+                                      case SSL_ERROR_SYSCALL:
-+                                              /* perhaps we have error waiting in our error-queue */
-+                                              if (0 != (err = ERR_get_error())) {
-+                                                      do {
-+                                                              log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
-+                                                                              ssl_r, ret,
-+                                                                              ERR_error_string(err, NULL));
-+                                                      } while ((err = ERR_get_error()));
-+                                              } else {
-+                                                      log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
-+                                                                ssl_r, r, errno,
-+                                                                strerror(errno));    
-+                                              }
-+                                              break;
-+
-+                                      default:
-+                                              while ((err = ERR_get_error())) {
-+                                                      log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
-+                                                                      ssl_r, ret,
-+                                                                      ERR_error_string(err, NULL));
-+                                              }
-+                                              break;
-+                                      }
-                               }
-                       }
- #endif
diff -r 32178f8d2d2f -r 929aaa04cd57 www/lighttpd/patches/patch-ac
--- a/www/lighttpd/patches/patch-ac     Mon Sep 29 13:47:37 2008 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-$NetBSD: patch-ac,v 1.5 2008/04/25 19:58:17 joerg Exp $
-
-From SVN: Fix potential DOS by clearing SSL error queue.
-
---- src/network_openssl.c.orig 2008-04-25 18:29:42.000000000 +0200
-+++ src/network_openssl.c
-@@ -85,6 +85,7 @@ int network_write_chunkqueue_openssl(ser
-                        *
-                        */
- 
-+                      ERR_clear_error();
-                       if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
-                               unsigned long err;
- 
-@@ -187,6 +188,7 @@ int network_write_chunkqueue_openssl(ser
- 
-                               close(ifd);
- 
-+                              ERR_clear_error();
-                               if ((r = SSL_write(ssl, s, toSend)) <= 0) {
-                                       unsigned long err;
- 



Home | Main Index | Thread Index | Old Index