Your message dated Sat, 16 Mar 2013 11:37:38 +0100
with message-id <[email protected]>
and subject line Re: Bug#703129: unblock: lighttpd/1.4.31-4
has caused the Debian Bug report #703129,
regarding unblock: lighttpd/1.4.31-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
703129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703129
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock the lighttpd package. I uploaded it as discussed previously,
find a
debdiff below.
unblock lighttpd/1.4.31-4
diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100
+++ lighttpd-1.4.31/debian/changelog 2013-03-15 20:28:44.000000000 +0100
@@ -1,3 +1,13 @@
+lighttpd (1.4.31-4) unstable; urgency=high
+
+ * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
+ world-writable which may cause security implications if an attacker
+ manages to control /tmp/php.socket before the web server (re-)starts.
+ * Switch VCS to git
+ * Push standards version (no changes)
+
+ -- Arno Töll <[email protected]> Thu, 14 Mar 2013 02:20:07 +0100
+
lighttpd (1.4.31-3) unstable; urgency=high
* Fix "configuration files refer to wrong path for documentation"
diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
--- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21
02:12:50.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2013-03-15
20:28:14.000000000 +0100
@@ -6,7 +6,7 @@
fastcgi.server += ( ".php" =>
((
"bin-path" => "/usr/bin/php-cgi",
- "socket" => "/tmp/php.socket",
+ "socket" => "/var/run/lighttpd/php.socket",
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
diff -Nru lighttpd-1.4.31/debian/control lighttpd-1.4.31/debian/control
--- lighttpd-1.4.31/debian/control 2012-11-21 14:53:19.000000000 +0100
+++ lighttpd-1.4.31/debian/control 2013-03-15 20:28:14.000000000 +0100
@@ -11,9 +11,9 @@
libfam-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev,
liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev,
libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~)
-Vcs-Svn: svn://svn.debian.org/pkg-lighttpd/lighttpd/trunk
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/
-Standards-Version: 3.9.3.1
+Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git
+Standards-Version: 3.9.4
Package: lighttpd
Architecture: any
diff -Nru lighttpd-1.4.31/debian/gbp.conf lighttpd-1.4.31/debian/gbp.conf
--- lighttpd-1.4.31/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/gbp.conf 2013-03-15 20:28:14.000000000 +0100
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff -Nru lighttpd-1.4.31/debian/NEWS lighttpd-1.4.31/debian/NEWS
--- lighttpd-1.4.31/debian/NEWS 2012-11-21 02:12:50.000000000 +0100
+++ lighttpd-1.4.31/debian/NEWS 2013-03-15 20:28:14.000000000 +0100
@@ -1,3 +1,21 @@
+lighttpd (1.4.31-4) unstable; urgency=high
+
+ The default Debian configuration file for PHP invoked from FastCGI was
+ vulnerable to local symlink attacks and race conditions when an attacker
+ manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
+ before the web server started. Possibly the web server could have been
+ tricked to use a forged PHP.
+
+ The problem lies in the configuration, thus this update will fix the problem
+ only if you did not modify the file
/etc/lighttpd/conf-available/15-fastcgi-php.conf
+ If you did, dpkg will not overwrite your changes. Please make sure to set
+
+ "socket" => "/var/run/lighttpd/php.socket"
+
+ yourself in that case.
+
+ -- Arno Töll <[email protected]> Thu, 14 Mar 2013 01:57:42 +0100
+
lighttpd (1.4.30-1) unstable; urgency=medium
This releases includes an option to force Lighttpd to honor the cipher order
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
On Sat, Mar 16, 2013 at 00:48:34 +0100, Arno Töll wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock the lighttpd package. I uploaded it as discussed previously,
> find a
> debdiff below.
>
Already unblocked by Adam last night.
Cheers,
Julien
signature.asc
Description: Digital signature
--- End Message ---
