On Aug/01, Santiago R.R. wrote: > Please, find attached debdiffs to mitigate this in wheezy (that I plan > to upload) and jessie. I have tested it with a python cgi taken from > httpoxy's PoCs, and it seems to work well. However, I am not familiar > with lighttpd, so any review is welcome.
Hi Santiago, thanks for working on this. Could you please change your jessie debdiff so it uses version 1.4.35-4+deb8u1 instead of 1.4.35-5 ? The rest looks OK. You'll also need to make sure you build with -sa, as lighttpd will be new on security-master. Cheers, --Seb
