Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Attaching patches in a moment.

Created an attachment (id=124941) [details]
lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch

Created an attachment (id=124943) [details]
lighttpd-1.4.x_mod_access_bypass.patch

Created an attachment (id=124944) [details]
lighttpd-1.4.x_mod_fastcgi_local_dos.patch

Thilo please provide an updated ebuild for prestable testing. Friendly note: Do
NOT commit anything yet.

Further details (not patches) will be attached later.

Created an attachment (id=124966) [details]
lighttpd-1.4.15-r1.ebuild

Created an attachment (id=124968) [details]
07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff

Created an attachment (id=124969) [details]
08_all_lighttpd-1.4.15-mod_access_bypass.diff

Created an attachment (id=124971) [details]
09_all_lighttpd-1.4.15-mod_fastcgi_local_dos.diff

drop the patches into files/1.4.15/ and use the attached ebuild.
the patches have been modified in naming (as to work with epatch) and minor
layout (remove header) and the NEWS section update of the duplicate headers
patch has been removed (clash)

Thx Thilo for the fast response.

Arch security liaisons please test and report back on this bug.

*** Bug 185549 has been marked as a duplicate of this bug. ***

compiles and runs fine on ppc64

Works for hppa.

sparc okie dokie.

Release date is tomorrow, still need status from:

x86 ppc amd64 alpha

the next 10 days i'll be on vacation and thus not able to commit this babe... 
sorry.

public now. somebody please commit this.

*** Bug 185978 has been marked as a duplicate of this bug. ***

(In reply to comment #14)
> Release date is tomorrow, still need status from:
> 
> x86 ppc amd64 alpha

Works for me on x86 and amd64 (passes collision-protect and works like before),
though I'm no arch team person.

I just wanted to commit, but wasn't sure how to do so. If we drop the patches
in ${FILESDIR}/1.4.15, then 1.4.15-r1 will be the exact same ebuild as 1.4.15
and everybody who compiles 1.4.15 will get the patches from this bug, too.

( Due to this line in the ebuild:
EPATCH_SUFFIX="diff" EPATCH_OPTS="-l" epatch ${FILESDIR}/${PV} || die "Patching
failed!" )

I could create ${FILESDIR}/1.4.15-r1, but then we have to copy over the files
from ${FILESDIR}/1.4.15, which means duplicated patches in CVS. I would do the
copy, but as this is not my package I would like to hear a comment before I
commit.

There's another bug as pointed by smithj, it's RPL-1554
(https://issues.rpath.com/browse/RPL-1554 and
http://lists.rpath.com/pipermail/distro-commits/2007-July/055669.html).
It's patched in 1.4.15-r1 in the tree so arches will have to stable themselves
because of this addition.
Corsair: switch to PVR, duplicate it for now (with 1.4.15-r1 having the sec
patches) and when arches are done do a simple cleanup.
Security: arches should be called in now.

gustavoz: thanks for commiting, real life catched me for some hours..

ppc64 stable

Stable for HPPA.

sparc stable.

make[3]: Entering directory
`/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
cp: cannot stat `./docroot/www/*.html~': No such file or directory
preparing infrastructure                PASS: prepare.sh
./core-var-include....ok
./core-condition......ok
./core-request........ok
./core-response.......ok
./core-keepalive......ok
./core................ok
./mod-access..........# status failed: expected '403', got '404'

#   Failed test '\#1230 - forbid access to ...~ - trailing slash'
#   at ./mod-access.t line 31.
# Looks like you failed 1 test of 4.
dubious
        Test returned status 1 (wstat 256, 0x100)
DIED. FAILED test 3
        Failed 1/4 tests, 75.00% okay
./mod-auth............ok
./mod-cgi.............ok
./mod-compress........ok
./mod-fastcgi.........# header vary is duplicated: Accept-Encoding and
Accept-Encoding
ok
        34/47 skipped: various reasons
./mod-redirect........ok
./mod-userdir.........ok
./mod-rewrite.........ok
        5/5 skipped: various reasons
./request.............ok
./mod-ssi.............ok
./mod-setenv..........ok
./lowercase...........ok
./cachable............ok
Failed Test    Stat Wstat Total Fail  List of Failed
-------------------------------------------------------------------------------
./mod-access.t    1   256     4    1  3
39 subtests skipped.
Failed 1/19 test scripts. 1/278 subtests failed.
Files=19, Tests=278, 10 wallclock secs ( 2.33 cusr +  0.42 csys =  2.75 CPU)
Failed 1/19 test programs. 1/278 subtests failed.
FAIL: run-tests.pl
cleaning up                             PASS: cleanup.sh
================================
1 of 3 tests failed
Please report to jan@kneschke.de
================================
make[3]: *** [check-TESTS] Error 1
make[3]: Leaving directory
`/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
make[2]: *** [check-am] Error 2
make[2]: Leaving directory
`/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory
`/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
make: *** [check-recursive] Error 1

Should we ignore them? actual stable version works fine

x86 stable, the test failure is caused by the mod_access patch, but seems to be
no loss in functionality....so I say: Go.

alpha/ia64 stable

Removing liaisons and adding remaining arches

Same test failure on ppc, ppc stable

adding refs.

amd64 stable

1.4.16 has been released - are we interested in moving to that for easier
maintenance or sticking with our patchset?

well - someone will surely ask for it, so I put it in. I don't know where the
scgi patch comes from, and it looks like it hasn't been applied upstream, so i
left it out... for now.

security: can you advice? the subject mentions five CVEs, there is only three
patches on this bug, while the release announcement by lighttpd lists four (and
no CVEs).

Anyway, it appears that the three patches on this bug are covered by the 1.4.16
release. So, ARM: Please mark 1.4.16 stable instead of 1.4.15-r1. Thanks.

Thilo: according to http://www.lighttpd.net/download, the patch about mod_auth
covers 4 issues, and secunia added one more CVE ref...
wrt to the current situation, I'd tend to say that it would be much simpler to
stabilize 1.4.16 instead of trying to figure out this patching mess.
I'm sorry for putting more work on arches teams, but I think that's the best
way to go from here.

arch teams: please mark stable: lighttpd-1.4.16

sparc stable.

x86 stable, changing status to "stable" again.

alpha/ia64 stable

ppc64 stable

amd64 stable

ppc stable

hppa, does something cause any trouble?

(In reply to comment #40)
> hppa, does something cause any trouble?

No, we're just temporarily understaffed.

Stable for HPPA.

Rerating and setting status to glsa.

GLSA 200708-11, thanks everybody (in time, at last ;) )