Package: lighttpd / 1.4.35-4+deb8u1

Metadata

Package Version Patches format
lighttpd 1.4.35-4+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
kfreebsd disable test.patch | (download)

tests/run-tests.pl | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 disable mod-fastcgi test on kfreebsd
spelling.patch | (download)

src/mod_auth.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix a minor spelling error
no sslv3.patch | (download)

src/configfile.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable sslv3 by default
mitigate httpoxy 779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch | (download)

src/mod_cgi.c | 7 7 + 0 - 0 !
src/mod_fastcgi.c | 7 7 + 0 - 0 !
src/mod_proxy.c | 4 4 + 0 - 0 !
src/mod_scgi.c | 7 7 + 0 - 0 !
src/mod_ssi.c | 9 8 + 1 - 0 !
5 files changed, 33 insertions(+), 1 deletion(-)

 [patch] [security] do not emit http_proxy to cgi env

Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)

Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.

This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable.  The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.

Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:

* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
* Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

References:

https://www.kb.cert.org/vuls/id/797896
CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables

https://httpoxy.org/
httpoxy: A CGI application vulnerability