diff -Nru lighttpd-1.4.26/debian/changelog lighttpd-1.4.26/debian/changelog --- lighttpd-1.4.26/debian/changelog 2010-07-16 01:25:24.000000000 +0700 +++ lighttpd-1.4.26/debian/changelog 2011-12-20 17:35:46.000000000 +0700 @@ -1,3 +1,12 @@ +lighttpd (1.4.26-3ubuntu2.1) maverick-security; urgency=low + + * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67 + (LP: #906792) + - debian/patches/CVE-2011-4362.patch: patch derived from upstream + - CVE-2011-4362 + + -- Mahyuddin Susanto Tue, 20 Dec 2011 17:35:38 +0700 + lighttpd (1.4.26-3ubuntu2) maverick; urgency=low * syntax_check function defined in init script. (LP: #600767) diff -Nru lighttpd-1.4.26/debian/patches/CVE-2011-4362.patch lighttpd-1.4.26/debian/patches/CVE-2011-4362.patch --- lighttpd-1.4.26/debian/patches/CVE-2011-4362.patch 1970-01-01 07:00:00.000000000 +0700 +++ lighttpd-1.4.26/debian/patches/CVE-2011-4362.patch 2011-12-20 17:23:02.000000000 +0700 @@ -0,0 +1,19 @@ +Description: DoS because of incorrect code in src/http_auth.c:67 +Origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt +Bug: http://redmine.lighttpd.net/issues/2370 +Bug-Debian: http://bugs.debian.org/652726 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/906792 + +Index: lighttpd-1.4.26/src/http_auth.c +=================================================================== +--- lighttpd-1.4.26.orig/src/http_auth.c 2010-02-02 06:28:20.000000000 +0700 ++++ lighttpd-1.4.26/src/http_auth.c 2011-12-20 17:21:22.305069701 +0700 +@@ -89,7 +89,7 @@ + ch = in[0]; + /* run through the whole string, converting as we go */ + for (i = 0; i < in_len; i++) { +- ch = in[i]; ++ ch = (unsigned char) in[i]; + + if (ch == '\0') break; + diff -Nru lighttpd-1.4.26/debian/patches/series lighttpd-1.4.26/debian/patches/series --- lighttpd-1.4.26/debian/patches/series 2010-06-28 03:15:41.000000000 +0700 +++ lighttpd-1.4.26/debian/patches/series 2011-12-20 17:20:14.000000000 +0700 @@ -1,3 +1,4 @@ debian-changes-1.4.26-2 build-dev-package.patch fixopenssl.patch +CVE-2011-4362.patch