Package: lighttpd / 1.4.59-1~bpo10+1

Metadata

Package Version Patches format
lighttpd 1.4.59-1~bpo10+1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
core 101 upgrade fails if Content Length.patch | (download)

src/http-header-glue.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] [core] 101 upgrade fails if content-length incl (fixes #3063)

(thx daimh)

commit 903024d7 in lighttpd 1.4.57 fixed issue #3046 but in the process
broke HTTP/1.1 101 Switching Protocols which included Content-Length: 0
in the response headers.  Content-Length response header is permitted
by the RFCs, but not necessary with HTTP status 101 Switching Protocols.

x-ref:
  "websocket proxy fails if 101 Switching Protocols from backend includes Content-Length"
  https://redmine.lighttpd.net/issues/3063

mod_auth close HTTP 2 connection after bad pass.patch | (download)

src/connections.c | 22 21 + 1 - 0 !
src/mod_accesslog.c | 2 1 + 1 - 0 !
src/mod_auth.c | 6 3 + 3 - 0 !
src/reqpool.c | 1 1 + 0 - 0 !
src/request.h | 2 1 + 1 - 0 !
src/response.c | 4 2 + 2 - 0 !
6 files changed, 29 insertions(+), 8 deletions(-)

 [patch] [mod_auth] close http/2 connection after bad pass

mitigation slows down brute force password attacks

x-ref:
  "Possible feature: authentication brute force hardening"
  https://redmine.lighttpd.net/boards/3/topics/8885