[FFe] lighttpd 1.4.19

Bug #201439 reported by Stephan Ruegamer on 2008-03-12
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)

Bug Description

Binary package hint: lighttpd

Dear Colleagues,

lighttpd 1.4.19 was released on 2008-03-10 (http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany):

It fixes all our security updates in hardy and as well a list of other buggers like:
    * added support for If-Range: <date> (#1346)
    * added support for matching $HTTP["scheme"] in configs
    * fixed initgroups() called after chroot (#1384)
    * fixed case-sensitive check for Auth-Method (#1456)
    * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
    * fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
    * print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
    * prevent crash in certain php-fcgi configurations (#841)
    * add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
    * open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
    * HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
    * generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
    * support letterhomes in mod_userdir (#1473)
    * support chained proxies in mod_extforward (#1528)
    * fixed bogus "cgi died ?" if we kill the CGI process on shutdown
    * fixed ECONNRESET handling in network-openssl
    * fixed handling of EAGAIN in network-linux-sendfile (#657)
    * reset conditional cache (#1164)
    * create directories in mod_compress (was broken with alias/userdir) (#1027)
    * fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
    * mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
    * remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
    * generate etag/last-modified header for on-the-fly-compressed files (#1171)
    * req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
    * fixed memory leak on windows (#1347)
    * fixed building outside of the src dir (#1349)
    * fixed including of stdint.h/inttypes.h in etag.c (#1413)
    * do not add Accept-Ranges header if range-request is disabled (#1449)
    * log the ip of failed auth tries in error.log (enhancement #1544)
    * fixed RoundRobin in mod_proxy (#516)
    * check for symlinks after successful pathinfo matching (#1574)
    * fixed mod-proxy.t to run with a builddir outside of the src dir
    * do not suppress content on "307 Temporary Redirect" (#1412)
    * fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
    * do not generate a "Content-Length: 0" header for HEAD requests, added test too
    * remove compress cache file if compression or write failed (#1150)
    * fixed body handling of status 300 requests
    * spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
    * fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
    * fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
    * fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
    * workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
    * make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found
    * fixed handling of waitpid() == EINTR mod_ssi on solaris

I packaged 1.4.19 (it's not already in debian) and added all packaging changes from the debian version to 1.4.19.


First, we can drop all patches from 1.4.18 package.
Second, all CVEs are fixed upstream, regarding the LTS version of hardy we don't have a lot to take care anymore. Only newer security issues needs to be fixed.
third, it is fixes more bugs, instead of introducing new features (this will be the case for 1.5.)

Please find attached all necessary files for the FeatureFreezeException.

Related branches

CVE References

Stephan Ruegamer (sadig) wrote :
Stephan Ruegamer (sadig) wrote :
Stephan Ruegamer (sadig) wrote :
Stephan Ruegamer (sadig) wrote :
Changed in lighttpd:
importance: Undecided → Wishlist
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.19-0ubuntu1

lighttpd (1.4.19-0ubuntu1) hardy; urgency=low

  * New upstream release (LP: #201439)
    For Changes please read the NEWS file
    All security patches we have in 1.4.18 of hardy are included now upstream
  * debian/patches/*: All changes introduced by this patches are now applied
    - Dropped 90_CVE-2008-1111.dpatch
    - Dropped 91_CVE-2008-1270.dpatch
    - Dropped 90_maxfds_crash_fix.dpatch
    - Dropped 03_ldap_leak_bugfix.dpatch
    - Dropped 04_ldap_build_filter_fix.dpatch
    - Dropped 90_accept_ranges_fix.dpatch
  * debian/lighttpd.conf: (From Debian)
    - Move the aliases on /doc/ and /images/ mandated by policy at the end to
       circumvent #445459.
  * debian/rules: (From Debian)
    - Remove spurious mkdir in debian/rules (Closes: dbts 448160).
  * debian/conf-available/10-rrdtool: (From Debian)
    - Add sample configuration for the mod_rrdtool (Closes: dbts 462907).
  * debian/lighttpd.install:
    - Install 10-rrdtool
  * debian/patches/ldap-deprecated.dpatch:
    - Force use of deprecated ldap interfaces (Closes: dbts 463368),
      thanks to Dann Frazier (patches/ldap-deprecated.dpatch).
  * Bumped Standards Version to 3.7.3, Bumbed Compat to 6, adjusted build-dep
    of debhelper accordingly

 -- Stephan Hermann <email address hidden> Wed, 12 Mar 2008 15:52:09 +0100

Changed in lighttpd:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers