| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.
|
|
|
|
These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
|
|
|
|
|
|
* [mod_auth] explicitly link ssl for SHA1 (fixes 2517)
* [mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes 2515, thx mm)
* [ssl] fix SNI handling; only use key+cert from SNI specific config (fixes 2525, CVE-2013-4508)
* [doc] update ssl.cipher-list recommendation
* [stat-cache] FAM: fix use after free (CVE-2013-4560)
* [stat-cache] fix FAM cleanup/fdevent handling
* [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
* [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
* maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places
* [core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes 2526)
* [auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes 2533)
* [mod_mysql_vhost] fix memory leak on config init (2530)
* [mod_webdav] fix fd leak found with parfait (fixes 2530, thx kukackajiri)
|
|
|
|
mod_fastcgi: fix mix up of “mode” => “authorizer” in other fastcgi configs (fixes 2465, thx peex)
fix handling of If-Modified-Since if If-None-Match is present (don’t return 412 for date parsing errors);
follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags.
[mod_fastcgi,log] support multi line logging (fixes 2252)
call ERR_clear_error only for ssl connections in CON_STATE_ERROR
reject non ASCII characters in HTTP header names
[mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes 2483)
[mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn’t use any salt, md5 with salt is probably better.
[mod_auth] fix base64_decode (2484)
fix some bugs found with canalyze (fixes 2484, thx Zhenbo Xu)
fix undefined stuff found with clang
[cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add Wl,-as-needed to extra warnings (fixes 2448)
[mod_auth] fix invalid read in digest qop=auth-int handling (fixes 2478)
[auto* build] simplify autogen.sh, handle automake 1.13 test running (fixes 2490)
[mod_userdir] add userdir.active option, “enabled” by default
[core] return 501 Not Implemented in static file mode for all methods except GET/POST/HEAD/OPTIONS
[core] recognize more http methods to forward to backends (fixes 2346)
[ssl] use DH only if openssl supports it (fixes 2479)
[network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes 2470)
[ssl] Fix $HTTP[“scheme”] conditional, could be “http” for ssl connections if the ssl $SERVER[“socket”] conditional was nested (fixes 2501)
[ssl] accept ssl renegotiations if they are not disabled (fixes 2491)
[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes 2492)
[auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes 2495)
[auth] new method “extern” to use already present REMOTE_USER (from magnet, ssl, …) (fixes 2436)
[core] remove requirement that default doc-root has to exist, there are reasonable scenarios not requiring static files at all
[core] check whether server.chroot exists
[mod_simple_vhost] fix cache; skip module if simple-vhost.server-root is empty (thx rm for reporting)
[mod_accesslog] add accesslog.syslog-level option (fixes 2480)
[core] allow files to be used as document-root (fixes 2475)
[core] set signal handlers before forking child processes in modules/plugins_call_set_defaults (fixes 2502)
|
|
|
|
|
|
|
|
|
|
return non-NULL too and lighttpd was evaluating as failure.
Bump PKGREVISION.
|
|
|
|
fixes a DOS problem (CVE-2012-5533)
|
|
|
|
Changes from 1.4.30
- [ssl] fix segfault in counting renegotiations for openssl versions
without TLSEXT/SNI (thx carpii for reporting)
- Move fdevent subsystem includes to implementation files to reduce
conflicts (fixes #2373)
- [mod_compress] fix handling if etags are disabled but cache-dir
is set - may lead to double response
- disable mmap by default (fixes #2391)
- buffer_caseless_compare: always convert letters to lowercase to get
transitive results, fixing array lookups (fixes #2405)
- Fix handling of empty header list entries in http_request_split_value,
fixing invalid read in valgrind (fixes #2413)
- Fix access log escaping of " and \\ (fixes #1551)
- [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649,
RFC 2617) (fixes #2410)
- [auth] Add "AUTH_TYPE" environment (for * cgi), remove fastcgi specific
workaround, add fastcgi test case (fixes #889)
- [mod_*cgi,mod_accesslog] Fix splitting :port with ipv6 (fixes #2333,
thx simoncpu)
- Detect multiple -f options: show error message instead of assert
(fixes #2416)
- [mod_extforward] Support ipv6 addresses (fixes #1889)
- [mod_redirect] Support url.redirect-code option (fixes #2247)
- Fix --enable-mmap handling in configure.ac
Changes from 1.4.29
- Always use our 'own' md5 implementation, fixes linking issues on MacOS
(fixes #2331)
- Limit amount of bytes we send in one go; fixes stalling in one connection
and timeouts on slow systems.
- [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
- Add static-file.disable-pathinfo option to prevent handling of urls like
.../secret.php/image.jpg as static file
- Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
- Fix mod_status bug: always showed "0/0" in the "Read" column for uploads
(fixes #2351)
- [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
- [ssl] count renegotiations to prevent client renegotiations
- [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
- [core] accept dots in ipv6 addresses in host header (fixes #2359)
- [ssl] fix ssl connection aborts if files are larger than
the MAX_WRITE_LIMIT (256kb)
- [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324)
|
|
|
|
|
|
GNU_CONFIGURE_LIBDIR or GNU_CONFIGURE_LIBSUBDIR.
|
|
to out-of-bounds array read
(possible DOS, CVE-2011-4362)
bump PKGREV
|
|
|
|
* solve name conflict of md5 functions with OpenSSL lib
* mod_proxy, mod_cgi and other mod_*cgi fixes
* ssl improvements
* Native solaris ports fdevent handler “solaris-eventports”
|
|
* Rename fdevent_event_add to _set to reflect what the function does. Fix some
handlers.
* Fix buffer.h to include stdio.h as it is needer for SEGFAULT()
Changes 1.4.27:
* Fix handling return value of SSL_CTX_set_options
* Fix mod_proxy HUP handling (send final chunk, fix usage counter)
* mod_proxy: close connection on write error
* Check uri instead of physical path for directory redirect
* Fix detecting git repository
* [mod_compress] Fix segfault when etags are disabled
* Reset uri.authority before TLS servername handling, reset all "keep-alive"
data in connection_del
* Print double quotes properly when dumping config file
* Include IP addresses on error log on password failures
* Fix stalls while reading from ssl sockets
* Fix etag formatting on boxes with 32-bit longs
* Fix two compiler warnings
* mod_accesslog: fix %p for ipv6 sockets
* mod_fastcgi: Send 502 "Bad Gateway" if we couldn't open the file for
X-Sendfile
* mod_staticfile: add debug output if we ignore a file with
static-file.exclude-extensions
* mod_cgi: fix race condition leaving response not forwarded to client
* mod_accesslog: Fix var declarations mixed in source
* mod_status: Add version to status page
* mod_accesslog: optimize accesslog_append_escaped
* openssl: silence annoying error messages for errno==0
* array.c: improve array_get_unused_element to check data type; fix mem leak if
unused_element didn't find a matching entry
* add check to stop loading plugins twice
* cleanup fdevent code, removed linux-rtsig handler, replaced some fprintf calls
* only require FDEVENT_IN bit to be set for listening connections
* add libev fdevent handler: server.event-handler = "libev"
* mod_proxy: return response as soon as it is available
* don't overwrite global server.force-lowercase-filenames setting
* bind to IPV6-only if ipv6 address was specified
|
|
PR#43538 by Aleksey Cheusov.
|
|
<http://redmine.lighttpd.net/issues/2157>. Without this patch,
lighttpd 1.4.26 will fail to start if built with the pkgsrc OpenSSL
and configured to serve HTTPS. Bump PKGREVISION.
|
|
- fix various bugs, including a trivial to trigger OOM/DoS
- Allow support for checking for exec bit on cgi scripts
- Add support for TLS servername indication
- Add support client certificate verification
- Split off spawn-fcgi into a separate package
|
|
|
|
- fix a number of bugs in various modules
- if-modifed-since handling for mod_compress
- disabled SSLv2 by default
|
|
This contains security fix: http://trac.lighttpd.net/trac/ticket/1774
- 1.4.20 -
* Fix mod_compress to compile with old gcc version (#1592)
* Fix mod_extforward to compile with old gcc version (#1591)
* Update documentation for #1587
* Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls (CVE-2008-1531)
* Fix mod_magnet: enable "request.method" and "request.protocol" in lighty.env (#1308)
* Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
* Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small "memleak" (#1628)
* Don't send empty Server headers (#1620)
* Fix conditional interpretation of core options
* Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: "%%" => "%", "$$" => "$"
* Fix accesslog port (should be port from the connection, not the "server.port") (#1618)
* Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
* Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
* Handle EINTR in mod_cgi during write() (#1640)
* Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
* Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn't append an error page
* Remove lighttpd.spec* from source, fixing all problems with it ;-)
* Do not rely on PATH_MAX (POSIX does not require it) (#580)
* Disable logging to access.log if filename is an empty string
* Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
* merge spawn-fcgi changes from trunk (from @2191)
* let spawn-fcgi propagate exit code from spawned fcgi application
* close connection after redirect in trigger_b4_dl (thx icy)
* close connection in mod_magnet if returned status code
* fix bug with IPv6 in mod_evasive (#1579)
* fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com
* [tests] fixed system, use foreground daemons and waitpid
* [tests] removed pidfile from test system
* [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi)
* fixed typo in mod_accesslog (#1699)
* replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
* case insensitive match for secdownload md5 token (#1710)
* Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
* fixed mod_secdownload problem with unsigned time_t (#1688)
* handle EAGAIN and EINTR for freebsd sendfile (#1675)
* Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
* fixed round-robin balancing in mod_proxy (#1715)
* fixed EINTR handling for waitpid in mod_fastcgi
* mod_{fast,s}cgi: overwrite environment variables (#1722)
* inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631)
* fixed url encoding to encode more characters (#266)
* allow digits in [s]cgi env vars (#1712)
* fixed dropping last character of evhost pattern (#161)
* print helpful error message on conditionals in global block (#1550)
* decode url before matching in mod_rewrite (#1720)
* fixed conditional patching of ldap filter (#1564)
* Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
* fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
* fixed format string bugs in mod_accesslog for SYSLOG
* replaced fprintf with log_error_write in fastcgi debug
* fixed mem leak in ssi expression parser (#1753), thx Take5k
* hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
* do not send content-encoding for 304 (#1754), thx yzlai
* fix segfault for stat_cache(fam) calls with relative path (without '/', can be triggered by x-sendfile) (#1750)
* fix splitting of auth-ldap filter
* workaround ldap connection leak if a ldap connection failed (restarting ldap)
* fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
* fix memleak in request header parsing (#1774, thx qhy)
* fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!)
* use decoded url for matching in mod_redirect (#1720)
|
|
|
|
|
|
Fix a DOS under high load and some information leaks.
|
|
http://trac.lighttpd.net/trac/attachment/ticket/1562/Fix-372-and-1562.patch
in order to fix CVE-2008-0983. Bump PKGREVISION
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
|
|
|
|
* fixed forwarding a SIGINT and SIGHUP when using max-workers (#902)
--> fixed FastCGI header overrun in mod_fastcgi
* fixed hanging redirects with keep-alive due to missing
"Content-Length: 0" headers
* fixed crashing when using undefined environment variables in the config
* added dir-listing.set-footer in mod_dirlisting (#1277)
* added sending UID and PID for SIGTERM and SIGINT to the logs
* fixed compression of files < 128 bytes by disabling compression (#1241)
* fixed mysql server reconnects (#518)
* fixed disabled keep-alive for dynamic content with HTTP/1.0 (#1166)
* fixed crash on mixed EOL sequences in mod_cgi
* fixed key compare (#1287)
* fixed invalid char in header values (#1286)
* fixed invalid "304 Not Modified" on broken timestamps
--> fixed endless loop on shrinked files with sendfile() on BSD (#1289)
--> fixed counter overrun in ?auto in mod_status (#909)
* fixed too aggresive caching of nested conditionals (#41)
--> fixed possible overflow in unix-socket path checks on BSD (#713)
* fixed extra Content-Length header on 1xx, 204 and 304 (#1002)
* fixed handling of duplicate If-Modified-Since to return 304
* fixed extracting status code from NPH scripts (#1125)
* removed config-check if passwd files exist (#1188)
* fixed crash when etags are disabled but the client sends one (#1322)
* fixed crash when freeing the config in mod_alias
* fixed server.error-handler-404 breakage from 1.4.16 (#1270)
* fixed entering 404-handler from dynamic content (#948)
* added more debug infos for FAM based stat-cache
The highlighted changes are security vulnerabilities that are fixed in
this release.
|
|
- various possible NULL pointer references
- two cases were uninitialised memory is used or memory could be
corrupted. This might be exploitable to execute arbitrary code.
- possible mod_access by-pass by appending /
- a local DOS by broken FastCGI handlers
|
|
Most important changes are:
- fix a crash for files with an mtime of 0
- fix cpu hog in certain requests
- added mod_extforward module
- reduced default PATH_MAX to 255
|
|
Patch provided by Sergey Svishchev in private mail.
|
|
Changes in 1.4.13:
* added initgroups in spawn-fcgi (#871)
* added apr1 support htpasswd in mod-auth (#870)
* added lighty.stat() to mod_magnet
* fixed segfault in splitted CRLF CRLF sequences
(introduced in 1.4.12) (#876)
* fixed compilation of LOCK support in mod-webdav
* fixed fragments in request-URLs (#869)
* fixed pkg-config check for lua5.1 on debian
* fixed Content-Length = 0 on HEAD requests without
a known Content-Length (#119)
* fixed mkdir() forcing 0700 (#884)
* fixed writev() on FreeBSD 4.x and older (#875)
* removed warning about a 404-error-handler
returned 404
* backported and fixed the buildsystem changes for
webdav locks
* fixed plugin loading so we can finally load lua
extensions in mod_magnet scripts
* fixed large uploads if xattr is enabled
Changes in 1.4.12:
* added experimental LOCK support for webdav
* added Content-Range support for PUT in webdav
* added support for += on empty arrays in config-files
* added ssl.cipher-list and ssl.use-sslv2
* added $HTTP["querystring"] conditional
* added mod_magnet as long-term replacement for mod_cml
* added work-around for a Opera Bug with SSL + Chunked-Encoding
* changed --print-config to print to stdout instead of stderr
* changed no longer use 0600 for new files with webdav. umask is
honored. Make sure you have set a proper umask.
* fixed upload hangs with SSL
* fixed connection drops with SSL (aka bad retry)
* fixed path traversal with \ on cygwin
* fixed mem-leak in mod_flv_streaming
* fixed required trailing newline in configfiles (#142)
* fixed quoting the autoconf files (#466)
* fixed empty Host: + $HTTP["host"] handling (#458)
* fixed handling of If-Modified-Since if ETag is not set
* fixed default-shell if SHELL is not set (#441)
* fixed appending and assigning of env.* vars
* fixed empty FCGI_STDERR packets
* fixed conditional server.allow-http-11
* fixed handling of follow-symlink + lstat()
* fixed SIGHUP handling if max-workers is used
* fixed "Software caused connection abort" messages on FreeBSD
In addition fix a nasty problem in LDAP auth when using with buggy
commercial servers. Some threat an empty password as anonymous bind
and would only fail on the first query, if that requires privileges.
Patch will be included with 1.4.14.
|
|
Noticed by Peter Avalos.
|
|
|
|
set OVERRIDE_DIRDEPTH to find any libtool scripts deeper in the WRKSRC
tree unless they're named something other than "libtool".
SHLIBTOOL_OVERRIDE generally doesn't need to be specified either -- just
define it to the empty list and shlibtool-override will look for libtool
scripts.
|
|
packages. Convert LDAP-based applications to depend on openldap-client, and
bump PKGREVISION for those that depend on it by default.
|
|
* added ability to specify which ip address spawn-fci listens on
(agkr@pobox.com)
* added mod_flv_streaming to streaming Flash Movies efficiently
* fixed handling of error codes returned by mod_dav_svn behing a
mod_proxy
* fixed error-messages in mod_auth and mod_fastcgi
* fixed re-enabling overloaded local fastcgi backends
* fixed handling of deleted files in linux-sendfile
* fixed compilation on BSD and MacOSX
* fixed $SERVER["socket"] on a already bound socket
* fixed local source retrieval on windows
(secunia)
* fixed hanging cgi if remote side is dieing while reading
from the pipe (sandy@meebo.com)
|
