MFH r307616 by mm:

Document new vulnerability in www/lighttpd 1.4.31

MFH r307617 by mm:
Update lighttpd to 1.4.32 (fixes CVE-2012-5533)

Feature safe:	yes

4 files changed, 47 insertions, 14 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index ad1daa7a55bb..8944d1be36d6 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,38 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1cd3ca42-33e6-11e2-a255-5404a67eef98">
+    <topic>lighttpd -- remote DoS in header parsing</topic>
+    <affects>
+      <package>
+	<name>lighttpd</name>
+	<range><gt>1.4.30</gt><lt>1.4.32</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Lighttpd security advisory reports:</p>
+	<blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt">
+	  <p>Certain Connection header values will trigger an endless loop, for example:
+	    "Connection: TE,,Keep-Alive"</p>
+	  <p>On receiving such value, lighttpd will enter an endless loop, 
+	    detecting an empty token but not incrementing the current string 
+	    position, and keep reading the ',' again and again.</p>
+	  <p>This bug was introduced in 1.4.31, when we fixed an "invalid read" 
+	    bug (it would try to read the byte before the string if it started 
+	    with ',', although the value wasn't actually used).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+	<cvename>CVE-2012-5533</cvename>
+    </references>
+    <dates>
+      <discovery>2012-11-17</discovery>
+      <entry>2012-11-21</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="d23119df-335d-11e2-b64c-c8600054b392">
     <topic>mozilla -- multiple vulnerabilities</topic>
     <affects>
diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile
index cd668cbee022..a929ed567dc3 100644
--- a/www/lighttpd/Makefile
+++ b/www/lighttpd/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME?=	lighttpd
-PORTVERSION=	1.4.31
-PORTREVISION=	5
+PORTVERSION=	1.4.32
 CATEGORIES?=	www
 MASTER_SITES?=	http://download.lighttpd.net/lighttpd/releases-1.4.x/
 
diff --git a/www/lighttpd/distinfo b/www/lighttpd/distinfo
index 26b2d4d3abf5..ac8aec665e16 100644
--- a/www/lighttpd/distinfo
+++ b/www/lighttpd/distinfo
@@ -1,5 +1,5 @@
-SHA256 (lighttpd-1.4.31.tar.bz2) = 5209e7a25d3044cb21b34d6a2bb3a6f6c216ba903ea486a803d070582e5e26ac
-SIZE (lighttpd-1.4.31.tar.bz2) = 675275
+SHA256 (lighttpd-1.4.32.tar.bz2) = 60691b2dcf3ad2472c06b23d75eb0c164bf48a08a630ed3f308f61319104701f
+SIZE (lighttpd-1.4.32.tar.bz2) = 681065
 SHA256 (lighttpd-1.4.26_mod_h264_streaming-2.2.9.patch.gz) = d7c3704d5253c4f3c18459f89059063b311e50096cd2c38fc982cec683c32e61
 SIZE (lighttpd-1.4.26_mod_h264_streaming-2.2.9.patch.gz) = 44695
 SHA256 (lighttpd-1.4.26_mod_geoip.patch.gz) = db43cc0ed7c808b5eed3185d97346e70dea0f1ef4fa9ed436d08e4faff7f97e7
diff --git a/www/lighttpd/files/patch-configure.ac b/www/lighttpd/files/patch-configure.ac
index 2f5c627cd90e..f697cfe28bd7 100644
--- a/www/lighttpd/files/patch-configure.ac
+++ b/www/lighttpd/files/patch-configure.ac
@@ -1,10 +1,16 @@
---- configure.ac.orig	2011-07-03 09:33:11.000000000 -0700
-+++ configure.ac	2012-05-03 16:49:19.000000000 -0700
-@@ -18,2 +18,3 @@
+--- configure.ac.orig	2012-11-19 11:05:29.000000000 +0100
++++ configure.ac	2012-11-21 14:22:53.723233779 +0100
+@@ -16,6 +16,7 @@
+ dnl Checks for programs.
+ AC_PROG_CC
  AM_PROG_CC_C_O
 +AM_PROG_AR
  AC_PROG_LD
-@@ -26,7 +27,2 @@
+ AC_PROG_INSTALL
+ AC_PROG_AWK
+@@ -30,11 +31,6 @@
+ dnl AM_PROG_AR requires automake 1.11 (and uses AC_COMPILE_IFELSE which wants AC_USE_SYSTEM_EXTENSIONS)
+ m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
  
 -dnl check environment
 -AC_AIX
@@ -12,9 +18,5 @@
 -AC_MINIX
 -
  dnl AC_CANONICAL_HOST
-@@ -40,5 +36,2 @@
- 
--dnl more automake stuff
--AM_C_PROTOTYPES
--
- dnl libtool
+ case $host_os in
+ 	*darwin*|*cygwin*|*aix*|*mingw* ) NO_RDYNAMIC=yes;;