From owner-svn-ports-branches@FreeBSD.ORG Mon Nov 26 21:04:11 2012 Return-Path: Delivered-To: svn-ports-branches@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E40E5FBD; Mon, 26 Nov 2012 21:04:11 +0000 (UTC) (envelope-from beat@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id BF0298FC13; Mon, 26 Nov 2012 21:04:11 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qAQL4Btk074654; Mon, 26 Nov 2012 21:04:11 GMT (envelope-from beat@svn.freebsd.org) Received: (from beat@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qAQL4B5D074649; Mon, 26 Nov 2012 21:04:11 GMT (envelope-from beat@svn.freebsd.org) Message-Id: <201211262104.qAQL4B5D074649@svn.freebsd.org> From: Beat Gaetzi Date: Mon, 26 Nov 2012 21:04:11 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r307798 - in branches/RELENG_9_1_0: security/vuxml www/lighttpd www/lighttpd/files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 21:04:12 -0000 Author: beat Date: Mon Nov 26 21:04:11 2012 New Revision: 307798 URL: http://svnweb.freebsd.org/changeset/ports/307798 Log: MFH r307616 by mm: Document new vulnerability in www/lighttpd 1.4.31 MFH r307617 by mm: Update lighttpd to 1.4.32 (fixes CVE-2012-5533) Feature safe: yes Modified: branches/RELENG_9_1_0/security/vuxml/vuln.xml branches/RELENG_9_1_0/www/lighttpd/Makefile branches/RELENG_9_1_0/www/lighttpd/distinfo branches/RELENG_9_1_0/www/lighttpd/files/patch-configure.ac Directory Properties: branches/RELENG_9_1_0/ (props changed) Modified: branches/RELENG_9_1_0/security/vuxml/vuln.xml ============================================================================== --- branches/RELENG_9_1_0/security/vuxml/vuln.xml Mon Nov 26 20:55:53 2012 (r307797) +++ branches/RELENG_9_1_0/security/vuxml/vuln.xml Mon Nov 26 21:04:11 2012 (r307798) @@ -51,6 +51,38 @@ Note: Please add new entries to the beg --> + + lighttpd -- remote DoS in header parsing + + + lighttpd + 1.4.301.4.32 + + + + +

Lighttpd security advisory reports:

+
+

Certain Connection header values will trigger an endless loop, for example: + "Connection: TE,,Keep-Alive"

+

On receiving such value, lighttpd will enter an endless loop, + detecting an empty token but not incrementing the current string + position, and keep reading the ',' again and again.

+

This bug was introduced in 1.4.31, when we fixed an "invalid read" + bug (it would try to read the byte before the string if it started + with ',', although the value wasn't actually used).

+
+ + + + CVE-2012-5533 + + + 2012-11-17 + 2012-11-21 + + + mozilla -- multiple vulnerabilities Modified: branches/RELENG_9_1_0/www/lighttpd/Makefile ============================================================================== --- branches/RELENG_9_1_0/www/lighttpd/Makefile Mon Nov 26 20:55:53 2012 (r307797) +++ branches/RELENG_9_1_0/www/lighttpd/Makefile Mon Nov 26 21:04:11 2012 (r307798) @@ -6,8 +6,7 @@ # PORTNAME?= lighttpd -PORTVERSION= 1.4.31 -PORTREVISION= 5 +PORTVERSION= 1.4.32 CATEGORIES?= www MASTER_SITES?= http://download.lighttpd.net/lighttpd/releases-1.4.x/ Modified: branches/RELENG_9_1_0/www/lighttpd/distinfo ============================================================================== --- branches/RELENG_9_1_0/www/lighttpd/distinfo Mon Nov 26 20:55:53 2012 (r307797) +++ branches/RELENG_9_1_0/www/lighttpd/distinfo Mon Nov 26 21:04:11 2012 (r307798) @@ -1,5 +1,5 @@ -SHA256 (lighttpd-1.4.31.tar.bz2) = 5209e7a25d3044cb21b34d6a2bb3a6f6c216ba903ea486a803d070582e5e26ac -SIZE (lighttpd-1.4.31.tar.bz2) = 675275 +SHA256 (lighttpd-1.4.32.tar.bz2) = 60691b2dcf3ad2472c06b23d75eb0c164bf48a08a630ed3f308f61319104701f +SIZE (lighttpd-1.4.32.tar.bz2) = 681065 SHA256 (lighttpd-1.4.26_mod_h264_streaming-2.2.9.patch.gz) = d7c3704d5253c4f3c18459f89059063b311e50096cd2c38fc982cec683c32e61 SIZE (lighttpd-1.4.26_mod_h264_streaming-2.2.9.patch.gz) = 44695 SHA256 (lighttpd-1.4.26_mod_geoip.patch.gz) = db43cc0ed7c808b5eed3185d97346e70dea0f1ef4fa9ed436d08e4faff7f97e7 Modified: branches/RELENG_9_1_0/www/lighttpd/files/patch-configure.ac ============================================================================== --- branches/RELENG_9_1_0/www/lighttpd/files/patch-configure.ac Mon Nov 26 20:55:53 2012 (r307797) +++ branches/RELENG_9_1_0/www/lighttpd/files/patch-configure.ac Mon Nov 26 21:04:11 2012 (r307798) @@ -1,10 +1,16 @@ ---- configure.ac.orig 2011-07-03 09:33:11.000000000 -0700 -+++ configure.ac 2012-05-03 16:49:19.000000000 -0700 -@@ -18,2 +18,3 @@ +--- configure.ac.orig 2012-11-19 11:05:29.000000000 +0100 ++++ configure.ac 2012-11-21 14:22:53.723233779 +0100 +@@ -16,6 +16,7 @@ + dnl Checks for programs. + AC_PROG_CC AM_PROG_CC_C_O +AM_PROG_AR AC_PROG_LD -@@ -26,7 +27,2 @@ + AC_PROG_INSTALL + AC_PROG_AWK +@@ -30,11 +31,6 @@ + dnl AM_PROG_AR requires automake 1.11 (and uses AC_COMPILE_IFELSE which wants AC_USE_SYSTEM_EXTENSIONS) + m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) -dnl check environment -AC_AIX @@ -12,9 +18,5 @@ -AC_MINIX - dnl AC_CANONICAL_HOST -@@ -40,5 +36,2 @@ - --dnl more automake stuff --AM_C_PROTOTYPES -- - dnl libtool + case $host_os in + *darwin*|*cygwin*|*aix*|*mingw* ) NO_RDYNAMIC=yes;;