Attaching patches in a moment.
Created attachment 124941 [details, diff] lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch
Created attachment 124943 [details, diff] lighttpd-1.4.x_mod_access_bypass.patch
Created attachment 124944 [details, diff] lighttpd-1.4.x_mod_fastcgi_local_dos.patch
Thilo please provide an updated ebuild for prestable testing. Friendly note: Do NOT commit anything yet. Further details (not patches) will be attached later.
Created attachment 124966 [details] lighttpd-1.4.15-r1.ebuild
Created attachment 124968 [details] 07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff
Created attachment 124969 [details] 08_all_lighttpd-1.4.15-mod_access_bypass.diff
Created attachment 124971 [details] 09_all_lighttpd-1.4.15-mod_fastcgi_local_dos.diff drop the patches into files/1.4.15/ and use the attached ebuild. the patches have been modified in naming (as to work with epatch) and minor layout (remove header) and the NEWS section update of the duplicate headers patch has been removed (clash)
Thx Thilo for the fast response. Arch security liaisons please test and report back on this bug.
*** Bug 185549 has been marked as a duplicate of this bug. ***
compiles and runs fine on ppc64
Works for hppa.
sparc okie dokie.
Release date is tomorrow, still need status from: x86 ppc amd64 alpha
the next 10 days i'll be on vacation and thus not able to commit this babe... sorry.
public now. somebody please commit this.
*** Bug 185978 has been marked as a duplicate of this bug. ***
(In reply to comment #14) > Release date is tomorrow, still need status from: > > x86 ppc amd64 alpha Works for me on x86 and amd64 (passes collision-protect and works like before), though I'm no arch team person.
I just wanted to commit, but wasn't sure how to do so. If we drop the patches in ${FILESDIR}/1.4.15, then 1.4.15-r1 will be the exact same ebuild as 1.4.15 and everybody who compiles 1.4.15 will get the patches from this bug, too. ( Due to this line in the ebuild: EPATCH_SUFFIX="diff" EPATCH_OPTS="-l" epatch ${FILESDIR}/${PV} || die "Patching failed!" ) I could create ${FILESDIR}/1.4.15-r1, but then we have to copy over the files from ${FILESDIR}/1.4.15, which means duplicated patches in CVS. I would do the copy, but as this is not my package I would like to hear a comment before I commit.
There's another bug as pointed by smithj, it's RPL-1554 (https://issues.rpath.com/browse/RPL-1554 and http://lists.rpath.com/pipermail/distro-commits/2007-July/055669.html). It's patched in 1.4.15-r1 in the tree so arches will have to stable themselves because of this addition. Corsair: switch to PVR, duplicate it for now (with 1.4.15-r1 having the sec patches) and when arches are done do a simple cleanup. Security: arches should be called in now.
gustavoz: thanks for commiting, real life catched me for some hours.. ppc64 stable
Stable for HPPA.
sparc stable.
make[3]: Entering directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests' cp: cannot stat `./docroot/www/*.html~': No such file or directory preparing infrastructure PASS: prepare.sh ./core-var-include....ok ./core-condition......ok ./core-request........ok ./core-response.......ok ./core-keepalive......ok ./core................ok ./mod-access..........# status failed: expected '403', got '404' # Failed test '\#1230 - forbid access to ...~ - trailing slash' # at ./mod-access.t line 31. # Looks like you failed 1 test of 4. dubious Test returned status 1 (wstat 256, 0x100) DIED. FAILED test 3 Failed 1/4 tests, 75.00% okay ./mod-auth............ok ./mod-cgi.............ok ./mod-compress........ok ./mod-fastcgi.........# header vary is duplicated: Accept-Encoding and Accept-Encoding ok 34/47 skipped: various reasons ./mod-redirect........ok ./mod-userdir.........ok ./mod-rewrite.........ok 5/5 skipped: various reasons ./request.............ok ./mod-ssi.............ok ./mod-setenv..........ok ./lowercase...........ok ./cachable............ok Failed Test Stat Wstat Total Fail List of Failed ------------------------------------------------------------------------------- ./mod-access.t 1 256 4 1 3 39 subtests skipped. Failed 1/19 test scripts. 1/278 subtests failed. Files=19, Tests=278, 10 wallclock secs ( 2.33 cusr + 0.42 csys = 2.75 CPU) Failed 1/19 test programs. 1/278 subtests failed. FAIL: run-tests.pl cleaning up PASS: cleanup.sh ================================ 1 of 3 tests failed Please report to jan@kneschke.de ================================ make[3]: *** [check-TESTS] Error 1 make[3]: Leaving directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests' make[2]: *** [check-am] Error 2 make[2]: Leaving directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests' make[1]: *** [check-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests' make: *** [check-recursive] Error 1 Should we ignore them? actual stable version works fine
x86 stable, the test failure is caused by the mod_access patch, but seems to be no loss in functionality....so I say: Go.
alpha/ia64 stable Removing liaisons and adding remaining arches
Same test failure on ppc, ppc stable
adding refs.
amd64 stable
1.4.16 has been released - are we interested in moving to that for easier maintenance or sticking with our patchset?
well - someone will surely ask for it, so I put it in. I don't know where the scgi patch comes from, and it looks like it hasn't been applied upstream, so i left it out... for now. security: can you advice? the subject mentions five CVEs, there is only three patches on this bug, while the release announcement by lighttpd lists four (and no CVEs). Anyway, it appears that the three patches on this bug are covered by the 1.4.16 release. So, ARM: Please mark 1.4.16 stable instead of 1.4.15-r1. Thanks.
Thilo: according to http://www.lighttpd.net/download, the patch about mod_auth covers 4 issues, and secunia added one more CVE ref... wrt to the current situation, I'd tend to say that it would be much simpler to stabilize 1.4.16 instead of trying to figure out this patching mess. I'm sorry for putting more work on arches teams, but I think that's the best way to go from here.
arch teams: please mark stable: lighttpd-1.4.16
x86 stable, changing status to "stable" again.
alpha/ia64 stable
ppc64 stable
ppc stable
hppa, does something cause any trouble?
(In reply to comment #40) > hppa, does something cause any trouble? No, we're just temporarily understaffed. Stable for HPPA.
Rerating and setting status to glsa.
GLSA 200708-11, thanks everybody (in time, at last ;) )