diff options
| author | tron <tron@pkgsrc.org> | 2008-10-03 11:12:18 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2008-10-03 11:12:18 +0000 |
| commit | 83a419b2332235ed8b844df4032f997ad6cc8647 (patch) | |
| tree | 7e1579d534e6c820d945687ea051c82c4a42efa4 | |
| parent | 8b628b455d2d2dcd1a589963e48f329353f2cc9e (diff) | |
| download | pkgsrc-83a419b2332235ed8b844df4032f997ad6cc8647.tar.gz | |
Pullup ticket #2538 - requested by taca
lighttpd: security update
Revisions pulled up:
- www/lighttpd/Makefile 1.22
- www/lighttpd/distinfo 1.15
- www/lighttpd/patches/patch-aa delete
- www/lighttpd/patches/patch-ac delete
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Oct 3 01:08:36 UTC 2008
Modified Files:
pkgsrc/www/lighttpd: Makefile distinfo
Removed Files:
pkgsrc/www/lighttpd/patches: patch-aa patch-ac
Log Message:
Update lighttpd to 1.4.20.
This contains security fix: http://trac.lighttpd.net/trac/ticket/1774
- 1.4.20 -
* Fix mod_compress to compile with old gcc version (#1592)
* Fix mod_extforward to compile with old gcc version (#1591)
* Update documentation for #1587
* Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls (CVE-2008-1531)
* Fix mod_magnet: enable "request.method" and "request.protocol" in lighty.env (#1308)
* Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
* Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small "memleak" (#1628)
* Don't send empty Server headers (#1620)
* Fix conditional interpretation of core options
* Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: "%%" => "%", "$$" => "$"
* Fix accesslog port (should be port from the connection, not the "server.port") (#1618)
* Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
* Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
* Handle EINTR in mod_cgi during write() (#1640)
* Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
* Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn't append an error page
* Remove lighttpd.spec* from source, fixing all problems with it ;-)
* Do not rely on PATH_MAX (POSIX does not require it) (#580)
* Disable logging to access.log if filename is an empty string
* Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
* merge spawn-fcgi changes from trunk (from @2191)
* let spawn-fcgi propagate exit code from spawned fcgi application
* close connection after redirect in trigger_b4_dl (thx icy)
* close connection in mod_magnet if returned status code
* fix bug with IPv6 in mod_evasive (#1579)
* fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com
* [tests] fixed system, use foreground daemons and waitpid
* [tests] removed pidfile from test system
* [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi)
* fixed typo in mod_accesslog (#1699)
* replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
* case insensitive match for secdownload md5 token (#1710)
* Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
* fixed mod_secdownload problem with unsigned time_t (#1688)
* handle EAGAIN and EINTR for freebsd sendfile (#1675)
* Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
* fixed round-robin balancing in mod_proxy (#1715)
* fixed EINTR handling for waitpid in mod_fastcgi
* mod_{fast,s}cgi: overwrite environment variables (#1722)
* inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631)
* fixed url encoding to encode more characters (#266)
* allow digits in [s]cgi env vars (#1712)
* fixed dropping last character of evhost pattern (#161)
* print helpful error message on conditionals in global block (#1550)
* decode url before matching in mod_rewrite (#1720)
* fixed conditional patching of ldap filter (#1564)
* Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
* fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
* fixed format string bugs in mod_accesslog for SYSLOG
* replaced fprintf with log_error_write in fastcgi debug
* fixed mem leak in ssi expression parser (#1753), thx Take5k
* hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
* do not send content-encoding for 304 (#1754), thx yzlai
* fix segfault for stat_cache(fam) calls with relative path (without '/', can be triggered by x-sendfile) (#1750)
* fix splitting of auth-ldap filter
* workaround ldap connection leak if a ldap connection failed (restarting ldap)
* fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
* fix memleak in request header parsing (#1774, thx qhy)
* fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!)
* use decoded url for matching in mod_redirect (#1720)
| -rw-r--r-- | www/lighttpd/Makefile | 5 | ||||
| -rw-r--r-- | www/lighttpd/distinfo | 8 | ||||
| -rw-r--r-- | www/lighttpd/patches/patch-aa | 69 | ||||
| -rw-r--r-- | www/lighttpd/patches/patch-ac | 22 |
4 files changed, 6 insertions, 98 deletions
diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile index bc4dd6e6912..281b8cefc34 100644 --- a/www/lighttpd/Makefile +++ b/www/lighttpd/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.21 2008/05/20 14:22:50 joerg Exp $ +# $NetBSD: Makefile,v 1.21.4.1 2008/10/03 11:12:18 tron Exp $ -DISTNAME= lighttpd-1.4.19 -PKGREVISION= 1 +DISTNAME= lighttpd-1.4.20 CATEGORIES= www MASTER_SITES= http://www.lighttpd.net/download/ diff --git a/www/lighttpd/distinfo b/www/lighttpd/distinfo index 435f2eae953..2ab46c6d266 100644 --- a/www/lighttpd/distinfo +++ b/www/lighttpd/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.14 2008/04/25 19:58:17 joerg Exp $ +$NetBSD: distinfo,v 1.14.4.1 2008/10/03 11:12:18 tron Exp $ -SHA1 (lighttpd-1.4.19.tar.gz) = 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee -RMD160 (lighttpd-1.4.19.tar.gz) = 7dbe2a22051e18f4037b48ee4811e2c9738d20cf -Size (lighttpd-1.4.19.tar.gz) = 815568 bytes +SHA1 (lighttpd-1.4.20.tar.gz) = 61790c02d9e96c3cb23ffd3907f1caee64c475dd +RMD160 (lighttpd-1.4.20.tar.gz) = 222e9c69b61467f9376768f92a5eee3add796020 +Size (lighttpd-1.4.20.tar.gz) = 827538 bytes SHA1 (patch-aa) = 4e3a6bf761bc0e0b8b2ff75fbec739d2cad145ab SHA1 (patch-ab) = b02003db1b2ac978846eb0f7be178b91f59fc176 SHA1 (patch-ac) = eca334f430362b2095727e28b9cc15f757fd440d diff --git a/www/lighttpd/patches/patch-aa b/www/lighttpd/patches/patch-aa deleted file mode 100644 index 1ab9dbad3da..00000000000 --- a/www/lighttpd/patches/patch-aa +++ /dev/null @@ -1,69 +0,0 @@ -$NetBSD: patch-aa,v 1.9 2008/04/25 19:58:17 joerg Exp $ - -From SVN: Fix potential DOS by clearing SSL error queue. - ---- src/connections.c.orig 2008-04-25 18:28:26.000000000 +0200 -+++ src/connections.c -@@ -199,6 +199,7 @@ static int connection_handle_read_ssl(se - - /* don't resize the buffer if we were in SSL_ERROR_WANT_* */ - -+ ERR_clear_error(); - do { - if (!con->ssl_error_want_reuse_buffer) { - b = buffer_init(); -@@ -1668,19 +1669,47 @@ int connection_state_machine(server *srv - } - #ifdef USE_OPENSSL - if (srv_sock->is_ssl) { -- int ret; -+ int ret, ssl_r; -+ unsigned long err; -+ ERR_clear_error(); - switch ((ret = SSL_shutdown(con->ssl))) { - case 1: - /* ok */ - break; - case 0: -- SSL_shutdown(con->ssl); -- break; -+ ERR_clear_error(); -+ if (-1 != (ret = SSL_shutdown(con->ssl))) break; -+ -+ // fall through - default: -- log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:", -- SSL_get_error(con->ssl, ret), -- ERR_error_string(ERR_get_error(), NULL)); -- return -1; -+ -+ switch ((ssl_r = SSL_get_error(con->ssl, ret))) { -+ case SSL_ERROR_WANT_WRITE: -+ case SSL_ERROR_WANT_READ: -+ break; -+ case SSL_ERROR_SYSCALL: -+ /* perhaps we have error waiting in our error-queue */ -+ if (0 != (err = ERR_get_error())) { -+ do { -+ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", -+ ssl_r, ret, -+ ERR_error_string(err, NULL)); -+ } while ((err = ERR_get_error())); -+ } else { -+ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):", -+ ssl_r, r, errno, -+ strerror(errno)); -+ } -+ break; -+ -+ default: -+ while ((err = ERR_get_error())) { -+ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", -+ ssl_r, ret, -+ ERR_error_string(err, NULL)); -+ } -+ break; -+ } - } - } - #endif diff --git a/www/lighttpd/patches/patch-ac b/www/lighttpd/patches/patch-ac deleted file mode 100644 index 2f5f47fbde8..00000000000 --- a/www/lighttpd/patches/patch-ac +++ /dev/null @@ -1,22 +0,0 @@ -$NetBSD: patch-ac,v 1.5 2008/04/25 19:58:17 joerg Exp $ - -From SVN: Fix potential DOS by clearing SSL error queue. - ---- src/network_openssl.c.orig 2008-04-25 18:29:42.000000000 +0200 -+++ src/network_openssl.c -@@ -85,6 +85,7 @@ int network_write_chunkqueue_openssl(ser - * - */ - -+ ERR_clear_error(); - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { - unsigned long err; - -@@ -187,6 +188,7 @@ int network_write_chunkqueue_openssl(ser - - close(ifd); - -+ ERR_clear_error(); - if ((r = SSL_write(ssl, s, toSend)) <= 0) { - unsigned long err; - |