diff options
author | Beat Gaetzi <beat@FreeBSD.org> | 2012-11-26 21:04:11 +0000 |
---|---|---|
committer | Beat Gaetzi <beat@FreeBSD.org> | 2012-11-26 21:04:11 +0000 |
commit | f73bcb2e156b1a4ab908977421090da64f13d990 (patch) | |
tree | 14a2a725439844e31f5ce65727f1a368b6a6492e | |
parent | 1108148c8e5fdc4703e759d34781351ae7e8cfaf (diff) | |
download | ports-f73bcb2e156b1a4ab908977421090da64f13d990.tar.gz ports-f73bcb2e156b1a4ab908977421090da64f13d990.zip |
MFH r307616 by mm:
Document new vulnerability in www/lighttpd 1.4.31
MFH r307617 by mm:
Update lighttpd to 1.4.32 (fixes CVE-2012-5533)
Feature safe: yes
Notes
Notes:
svn path=/branches/RELENG_9_1_0/; revision=307798
-rw-r--r-- | security/vuxml/vuln.xml | 32 | ||||
-rw-r--r-- | www/lighttpd/Makefile | 3 | ||||
-rw-r--r-- | www/lighttpd/distinfo | 4 | ||||
-rw-r--r-- | www/lighttpd/files/patch-configure.ac | 22 |
4 files changed, 47 insertions, 14 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index ad1daa7a55bb..8944d1be36d6 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,38 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="1cd3ca42-33e6-11e2-a255-5404a67eef98"> + <topic>lighttpd -- remote DoS in header parsing</topic> + <affects> + <package> + <name>lighttpd</name> + <range><gt>1.4.30</gt><lt>1.4.32</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Lighttpd security advisory reports:</p> + <blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt"> + <p>Certain Connection header values will trigger an endless loop, for example: + "Connection: TE,,Keep-Alive"</p> + <p>On receiving such value, lighttpd will enter an endless loop, + detecting an empty token but not incrementing the current string + position, and keep reading the ',' again and again.</p> + <p>This bug was introduced in 1.4.31, when we fixed an "invalid read" + bug (it would try to read the byte before the string if it started + with ',', although the value wasn't actually used).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-5533</cvename> + </references> + <dates> + <discovery>2012-11-17</discovery> + <entry>2012-11-21</entry> + </dates> + </vuln> + <vuln vid="d23119df-335d-11e2-b64c-c8600054b392"> <topic>mozilla -- multiple vulnerabilities</topic> <affects> diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile index cd668cbee022..a929ed567dc3 100644 --- a/www/lighttpd/Makefile +++ b/www/lighttpd/Makefile @@ -6,8 +6,7 @@ # PORTNAME?= lighttpd -PORTVERSION= 1.4.31 -PORTREVISION= 5 +PORTVERSION= 1.4.32 CATEGORIES?= www MASTER_SITES?= http://download.lighttpd.net/lighttpd/releases-1.4.x/ diff --git a/www/lighttpd/distinfo b/www/lighttpd/distinfo index 26b2d4d3abf5..ac8aec665e16 100644 --- a/www/lighttpd/distinfo +++ b/www/lighttpd/distinfo @@ -1,5 +1,5 @@ -SHA256 (lighttpd-1.4.31.tar.bz2) = 5209e7a25d3044cb21b34d6a2bb3a6f6c216ba903ea486a803d070582e5e26ac -SIZE (lighttpd-1.4.31.tar.bz2) = 675275 +SHA256 (lighttpd-1.4.32.tar.bz2) = 60691b2dcf3ad2472c06b23d75eb0c164bf48a08a630ed3f308f61319104701f +SIZE (lighttpd-1.4.32.tar.bz2) = 681065 SHA256 (lighttpd-1.4.26_mod_h264_streaming-2.2.9.patch.gz) = d7c3704d5253c4f3c18459f89059063b311e50096cd2c38fc982cec683c32e61 SIZE (lighttpd-1.4.26_mod_h264_streaming-2.2.9.patch.gz) = 44695 SHA256 (lighttpd-1.4.26_mod_geoip.patch.gz) = db43cc0ed7c808b5eed3185d97346e70dea0f1ef4fa9ed436d08e4faff7f97e7 diff --git a/www/lighttpd/files/patch-configure.ac b/www/lighttpd/files/patch-configure.ac index 2f5c627cd90e..f697cfe28bd7 100644 --- a/www/lighttpd/files/patch-configure.ac +++ b/www/lighttpd/files/patch-configure.ac @@ -1,10 +1,16 @@ ---- configure.ac.orig 2011-07-03 09:33:11.000000000 -0700 -+++ configure.ac 2012-05-03 16:49:19.000000000 -0700 -@@ -18,2 +18,3 @@ +--- configure.ac.orig 2012-11-19 11:05:29.000000000 +0100 ++++ configure.ac 2012-11-21 14:22:53.723233779 +0100 +@@ -16,6 +16,7 @@ + dnl Checks for programs. + AC_PROG_CC AM_PROG_CC_C_O +AM_PROG_AR AC_PROG_LD -@@ -26,7 +27,2 @@ + AC_PROG_INSTALL + AC_PROG_AWK +@@ -30,11 +31,6 @@ + dnl AM_PROG_AR requires automake 1.11 (and uses AC_COMPILE_IFELSE which wants AC_USE_SYSTEM_EXTENSIONS) + m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) -dnl check environment -AC_AIX @@ -12,9 +18,5 @@ -AC_MINIX - dnl AC_CANONICAL_HOST -@@ -40,5 +36,2 @@ - --dnl more automake stuff --AM_C_PROTOTYPES -- - dnl libtool + case $host_os in + *darwin*|*cygwin*|*aix*|*mingw* ) NO_RDYNAMIC=yes;; |