diff options
| author | Arno Töll <arno@debian.org> | 2013-03-17 19:09:20 +0100 |
|---|---|---|
| committer | Arno Töll <arno@debian.org> | 2013-03-17 19:09:20 +0100 |
| commit | 5c733a9eafbc5c134c70a8b54c67680a504576ff (patch) | |
| tree | d70c7526221b8ab6b82f78ee4fa2dc46d447f663 | |
| parent | 5ed33e7873512d5cd24b0cedf94557ddd22a823e (diff) | |
| parent | 50380b996b69d6358707df768474853b7225de98 (diff) | |
| download | lighttpd-5c733a9eafbc5c134c70a8b54c67680a504576ff.tar.gz | |
Merge branch 'new-master'
Conflicts:
debian/changelog
| -rw-r--r-- | debian/NEWS | 18 | ||||
| -rw-r--r-- | debian/changelog | 13 | ||||
| -rw-r--r-- | debian/conf-available/15-fastcgi-php.conf | 2 |
3 files changed, 28 insertions, 5 deletions
diff --git a/debian/NEWS b/debian/NEWS index 33cb310..69c120b 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,21 @@ +lighttpd (1.4.31-4) unstable; urgency=high + + The default Debian configuration file for PHP invoked from FastCGI was + vulnerable to local symlink attacks and race conditions when an attacker + manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3) + before the web server started. Possibly the web server could have been + tricked to use a forged PHP. + + The problem lies in the configuration, thus this update will fix the problem + only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf + If you did, dpkg will not overwrite your changes. Please make sure to set + + "socket" => "/var/run/lighttpd/php.socket" + + yourself in that case. + + -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100 + lighttpd (1.4.30-1) unstable; urgency=medium This releases includes an option to force Lighttpd to honor the cipher order diff --git a/debian/changelog b/debian/changelog index a50b2d3..defc8cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,13 +1,18 @@ lighttpd (1.4.32-1) UNRELEASED; urgency=low - * New upstream release - * Switch VCS to git - * Push standards version (no changes) * Drop the connection-dos.patch - merged upstream. * Fix "mod_extforward missing configuration file": ship requeste configuration file (Closes: #697304) - -- Arno Töll <arno@debian.org> Sun, 20 Jan 2013 02:09:27 +0100 +lighttpd (1.4.31-4) unstable; urgency=high + + * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is + world-writable which may cause security implications if an attacker + manages to control /tmp/php.socket before the web server (re-)starts. + * Switch VCS to git + * Push standards version (no changes) + + -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 02:20:07 +0100 lighttpd (1.4.31-3) unstable; urgency=high diff --git a/debian/conf-available/15-fastcgi-php.conf b/debian/conf-available/15-fastcgi-php.conf index 60822a9..cea11c2 100644 --- a/debian/conf-available/15-fastcgi-php.conf +++ b/debian/conf-available/15-fastcgi-php.conf @@ -6,7 +6,7 @@ fastcgi.server += ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", - "socket" => "/tmp/php.socket", + "socket" => "/var/run/lighttpd/php.socket", "max-procs" => 1, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "4", |