Please merge lighttpd (1.4.33-1) from Debian testing

Bug #1246886 reported by Mattia Rizzolo on 2013-10-31
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Undecided
Unassigned

Bug Description

Debian changelog since last merge:

lighttpd (1.4.33-1) unstable; urgency=low

  * Drop the connection-dos.patch - merged upstream.
  * Fix "mod_extforward missing configuration file": ship requested
    configuration file (Closes: #697304)
  * Remove access.conf, an obsolete conffiles as we should have done since
    2010 (Closes: #703215)
  * Push debhelper's compat mode to 9, the use of maintscript helper requires
    8.1 so we had to push the debhelper b-d anyway.
  * Fix "config.guess/config.sub out of date for arm64" by adding the patch
    provided by Colin Watson. Thanks (Closes: #726394).
  * Fix "[PATCH] use dh-systemd for proper systemd-related maintscripts" to
    add systemd support. Thanks to Michael Stapelberg (Closes: #713859)

 -- Arno Töll <email address hidden> Tue, 15 Oct 2013 21:24:49 +0200

lighttpd (1.4.31-4) unstable; urgency=high

  * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
    world-writable which may cause security implications if an attacker
    manages to control /tmp/php.socket before the web server (re-)starts.
  * Switch VCS to git
  * Push standards version (no changes)

 -- Arno Töll <email address hidden> Thu, 14 Mar 2013 02:20:07 +0100

CVE References

Mattia Rizzolo (mapreri) on 2013-10-31
Changed in lighttpd (Ubuntu):
assignee: nobody → Mattia Rizzolo (mapreri)
Mattia Rizzolo (mapreri) on 2013-10-31
Changed in lighttpd (Ubuntu):
status: New → In Progress
Mattia Rizzolo (mapreri) wrote :

This debdiff should merge lighttpd correctly.

Changed in lighttpd (Ubuntu):
assignee: Mattia Rizzolo (mapreri) → nobody
Mattia Rizzolo (mapreri) wrote :

Anyway, if someone will upload it, it will go in the dep-wait queue, since it needs automake >=1.14, which will be merged in the next weeks (hoping the best), see #1191959.

Colin Watson (cjwatson) wrote :

Please ask the person who uploaded the package last in Ubuntu *before* you start working on a merge, to avoid duplicated work. (Since that person was me, I know you didn't do so.)

Martin Pitt (pitti) wrote :

Cleared with Colin, checked and uploaded, thanks!

Changed in lighttpd (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.33-1ubuntu1

---------------
lighttpd (1.4.33-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable (LP: #1246886). Remaining changes:
    - debian/index.html: corrected BTS Ubuntu link for lighttpd.
    - debian/index.html: s/Debian/Ubuntu/g branding on the default page.
    - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes
      failure to bind port in ipv4.
    - Add lighttpd-dev package:
      + debian/control: Added lighttpd-dev package; Build-depends on
        automake (>=1.14), libtool.
      + debian/lighttpd-dev.install: Added.
    - debian/control: libgamin-dev rather than libfam-dev to fix startup warning.
    - debian/rules: Add override_dh_installinit to set "defaults 91 09" to not
      start before apache2 but in the same runlevel with the same priority.
    - Added a UFW profile set:
      + debian/lighttpd.dirs: added etc/ufw/applications.d
      + debian/rules: install the ufw profile.
      + debian/control: Suggests on ufw.
    - debian/patches/build-dev-package.patch: Updated to reflect 1.4.33 changes.

lighttpd (1.4.33-1) unstable; urgency=low

  * Drop the connection-dos.patch - merged upstream.
  * Fix "mod_extforward missing configuration file": ship requested
    configuration file (Closes: #697304)
  * Remove access.conf, an obsolete conffiles as we should have done since
    2010 (Closes: #703215)
  * Push debhelper's compat mode to 9, the use of maintscript helper requires
    8.1 so we had to push the debhelper b-d anyway.
  * Fix "config.guess/config.sub out of date for arm64" by adding the patch
    provided by Colin Watson. Thanks (Closes: #726394).
  * Fix "[PATCH] use dh-systemd for proper systemd-related maintscripts" to
    add systemd support. Thanks to Michael Stapelberg (Closes: #713859)

lighttpd (1.4.31-4) unstable; urgency=high

  * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
    world-writable which may cause security implications if an attacker
    manages to control /tmp/php.socket before the web server (re-)starts.
  * Switch VCS to git
  * Push standards version (no changes)
 -- Mattia Rizzolo <email address hidden> Wed, 30 Oct 2013 15:52:50 +0100

Changed in lighttpd (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers