Package: lighttpd / 1.4.53-4+deb10u1

Metadata

Package Version Patches format
lighttpd 1.4.53-4+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
core fix mixed use of srv split_vals array fixes 293.patch | (download)

src/array.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---
mod_magnet fix invalid script return type crash fixe.patch | (download)

src/mod_magnet.c | 15 14 + 1 - 0 !
1 file changed, 14 insertions(+), 1 deletion(-)

---
core fix assertion with server.error handler fixes 2.patch | (download)

src/connections.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---
mod_wstunnel fix ping interval for big endian fixes .patch | (download)

src/mod_wstunnel.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
core fix abort in http parseopts fixes 2945.patch | (download)

src/burl.c | 6 4 + 2 - 0 !
src/t/test_burl.c | 2 2 + 0 - 0 !
2 files changed, 6 insertions(+), 2 deletions(-)

---
core remove repeated slashes in http parseopts.patch | (download)

src/burl.c | 2 1 + 1 - 0 !
src/t/test_burl.c | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

---
core fix 1.4.52 regression in mem use with POST fixe.patch | (download)

src/chunk.c | 80 43 + 37 - 0 !
1 file changed, 43 insertions(+), 37 deletions(-)

 [patch] [core] fix 1.4.52 regression in mem use with post (fixes
 #2948)

(thx rgenoud)

x-ref:
  "[regression][Bisected] lighttpd uses way more memory with POST since 1.4.52"
  https://redmine.lighttpd.net/issues/2948

core 200 for OPTIONS non existent path HTTP 1.1 fixe.patch | (download)

src/response.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] [core] 200 for options /non-existent/path http/1.1 (fixes
 #2939)

200 for OPTIONS /non-existent/path HTTP/1.1 when a module,
such as mod_webdav, has set Allow response header

x-ref:
  "OPTIONS should return 2xx status for non-existent resources if Allow is set"
  https://redmine.lighttpd.net/issues/2939

core use high precision stat timestamp in etag.patch | (download)

src/etag.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] [core] use high precision stat timestamp in etag

use high precision stat timestamp (on systems where available) in etag

mod_authn_ldap ldap_set_option LDAP_OPT_RESTART fixe.patch | (download)

src/mod_authn_ldap.c | 3 3 + 0 - 0 !
src/mod_vhostdb_ldap.c | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 [patch] [mod_authn_ldap] ldap_set_option ldap_opt_restart (fixes
 #2940)

ldap_set_option LDAP_OPT_RESTART to handle EINTR on SIGCHLD from CGI

(ldap uses poll(), which is not restartable with sigaction SA_RESTART)

x-ref:
  "mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server""
  https://redmine.lighttpd.net/issues/2940

core allocate unix socket paths with SUN_LEN 1 fixes.patch | (download)

src/sock_addr.c | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 [patch] [core] allocate unix socket paths with sun_len()+1 (fixes
 #2962)

(thx lighthouse2)

x-ref:
  "SUN_LEN in sock_addr.c (1.4.53, 1.4.54)"
  https://redmine.lighttpd.net/issues/2962

core issue config error for invalid fixes 2980.patch | (download)

src/configfile.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] [core] issue config error for invalid ':' (fixes #2980)

x-ref:
  "Embedded vim command line in conf file with no comment (#) hangs server"
  https://redmine.lighttpd.net/issues/2980

mod_authn_gssapi 500 if fail to delegate creds 2967.patch | (download)

src/mod_authn_gssapi.c | 32 22 + 10 - 0 !
1 file changed, 22 insertions(+), 10 deletions(-)

 [patch] [mod_authn_gssapi] 500 if fail to delegate creds (#2967)

x-ref:
  "mod_authn_gssapi requires delegation?"
  https://redmine.lighttpd.net/issues/2967

mod_authn_gssapi option to store delegated creds fix.patch | (download)

src/mod_authn_gssapi.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 [patch] [mod_authn_gssapi] option to store delegated creds (fixes
 #2967)

default enabled for backwards compatibility; disable in future

(thx lameventanas)

x-ref:
  "mod_authn_gssapi requires delegation?"
  https://redmine.lighttpd.net/issues/2967

mod_auth require digest uri match original URI.patch | (download)

src/mod_auth.c | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 [patch] [mod_auth] require digest uri= match original uri

lighttpd requires a strict match between the request URI and the uri=
auth-param provided in the Authenticate header.  lighttpd does not
mod_auth Authentication Info nextnonce.patch | (download)

src/mod_auth.c | 36 35 + 1 - 0 !
1 file changed, 35 insertions(+), 1 deletion(-)

 [patch] [mod_auth] authentication-info: nextnonce=...

send Authentication-Info nextnonce when nonce is approaching expiration

mod_auth http_auth_const_time_memeq improvement.patch | (download)

src/http_auth.c | 17 14 + 3 - 0 !
1 file changed, 14 insertions(+), 3 deletions(-)

 [patch] [mod_auth] http_auth_const_time_memeq improvement

employ volatile, which might matter with some compilers (or might not)
explicitly check that string lengths match
  (or else might match string where last char of short string matches
   repeated chars in longer string)

mod_auth http_auth_const_time_memeq_pad.patch | (download)

src/http_auth.c | 2 1 + 1 - 0 !
src/http_auth.h | 3 2 + 1 - 0 !
src/mod_authn_file.c | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 3 deletions(-)

 [patch] [mod_auth] http_auth_const_time_memeq_pad()

rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad()
mod_auth http_auth_const_time_memeq 2975 2976.patch | (download)

src/http_auth.c | 23 23 + 0 - 0 !
src/http_auth.h | 2 2 + 0 - 0 !
src/mod_auth.c | 2 1 + 1 - 0 !
src/mod_authn_file.c | 2 1 + 1 - 0 !
src/mod_authn_mysql.c | 2 1 + 1 - 0 !
5 files changed, 28 insertions(+), 3 deletions(-)

 [patch] [mod_auth] http_auth_const_time_memeq() (#2975, #2976)

use constant time comparison when comparing digests

(mitigation for brute-force timing attacks against digests
 generated using the same nonce)

x-ref:
  "Digest auth nonces are not validated"
  https://redmine.lighttpd.net/issues/2976
  "safe_memcmp new function proposal"
  https://redmine.lighttpd.net/issues/2975

core reject WS following header field name fixes 298.patch | (download)

src/request.c | 15 15 + 0 - 0 !
src/t/test_request.c | 5 1 + 4 - 0 !
tests/request.t | 12 1 + 11 - 0 !
3 files changed, 17 insertions(+), 15 deletions(-)

 [patch] [core] reject ws following header field-name (fixes #2985)

reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.

strict header parsing is enabled by default in lighttpd.  However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
  UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
  This is NOT RECOMMENDED since doing so disables other protections
  provided by lighttpd strict http header parsing.

(thx fedormixalich)

x-ref:
  stricter request header parsing
  https://redmine.lighttpd.net/issues/2985

core reject Transfer Encoding Content Length 2985.patch | (download)

src/request.c | 21 19 + 2 - 0 !
1 file changed, 19 insertions(+), 2 deletions(-)

 [patch] [core] reject transfer-encoding + content-length (#2985)

reject requests with both Transfer-Encoding and Content-Length
as recommended in RFC 7230 Section 3.3.3.

strict header parsing is enabled by default in lighttpd.  However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept Transfer-Encoding and Content-Length in the same request,
and will ignore (and remove) Content-Length before passing to backend.
  UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
  This is NOT RECOMMENDED since doing so disables other protections
  provided by lighttpd strict http header parsing.

RFC7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
  3.3.3.  Message Body Length
  [...]
  If a message is received with both a Transfer-Encoding and a
  Content-Length header field, the Transfer-Encoding overrides the
  Content-Length.  Such a message might indicate an attempt to
  perform request smuggling (Section 9.5) or response splitting
  (Section 9.4) and ought to be handled as an error.  A sender MUST
  remove the received Content-Length field prior to forwarding such
  a message downstream.

x-ref:
  stricter request header parsing
  https://redmine.lighttpd.net/issues/2985

mod_openssl reject invalid ALPN.patch | (download)

src/mod_openssl.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] [mod_openssl] reject invalid alpn


mod_accesslog parse multiple cookies fixes 2986.patch | (download)

src/mod_accesslog.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] [mod_accesslog] parse multiple cookies (fixes #2986)

(thx xoneca)

x-ref:
  "Cookie format specifier is broken"
  https://redmine.lighttpd.net/issues/2986

core preserve 2b and 2B in query string fixes 2999.patch | (download)

src/burl.c | 8 6 + 2 - 0 !
src/t/test_burl.c | 2 2 + 0 - 0 !
2 files changed, 8 insertions(+), 2 deletions(-)

 [patch] [core] preserve %2b and %2b in query string (fixes #2999)

normalize %2b or %2B in query string to %2B (uppercase hex),
and not to '+'

(thx int-e)

x-ref:
  "url-normalize-required expands %2B in query strings"
  https://redmine.lighttpd.net/issues/2999

mod_auth close connection after bad password.patch | (download)

src/mod_auth.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] [mod_auth] close connection after bad password

mitigation slows down brute force password attacks

x-ref:
  "Possible feature: authentication brute force hardening"
  https://redmine.lighttpd.net/boards/3/topics/8885

core do not accept server.max connections.patch | (download)

src/network.c | 10 7 + 3 - 0 !
1 file changed, 7 insertions(+), 3 deletions(-)

 [patch] [core] do not accept() > server.max-connections


config update var run run for systemd.patch | (download)

doc/config/lighttpd.conf | 2 1 + 1 - 0 !
doc/lighttpd.8 | 2 1 + 1 - 0 !
doc/systemd/lighttpd.service | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 [patch] [config] update /var/run -> /run for systemd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This gets rid of the warning:
> May 19 10:56:32 buster systemd[1]: /lib/systemd/system/lighttpd.service:6:
> PIDFile= references path below legacy directory /var/run/,
> updating /var/run/lighttpd.pid → /run/lighttpd.pid;
> please update the unit file accordingly.

refs:
- https://github.com/systemd/systemd/commit/a2d1fb882c4308bc10362d971f333c5031d60069
- https://github.com/systemd/systemd/pull/9019
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929203
- Filesystem Hierarchy Standard 3.0 (FHS 3.0)

github: closes #100