Re: [SECURITY] lighttpd
On Feb 1 00:26, Yaakov wrote: > On Tue, 9 Oct 2012 12:56:17 +0200, Corinna Vinschen wrote: > > Lapo? Ping? Are you still with us? > > It would seem not. :-( > > $ grep Lapo cygwin-pkg-maint > botan Lapo Luchini > bsdiff Lapo Luchini > libtidy-devel Lapo Luchini > libtidy0_99_0 Lapo Luchini > lighttpdLapo Luchini > monotoneLapo Luchini > nanoLapo Luchini > par Lapo Luchini > pinfo Lapo Luchini > rsync Lapo Luchini > tidyLapo Luchini > typespeed Lapo Luchini > ucl Lapo Luchini > upx Lapo Luchini > whois Lapo Luchini > > I already have newer lighttpd and nano in Ports, and tidy was copied > from Ports to start with (there hasn't been an upstream release > since). Should I adopt these and mark the rest ORPHANED? That would be nice. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Re: [SECURITY] lighttpd
On Tue, 9 Oct 2012 12:56:17 +0200, Corinna Vinschen wrote: > Lapo? Ping? Are you still with us? It would seem not. :-( $ grep Lapo cygwin-pkg-maint botan Lapo Luchini bsdiff Lapo Luchini libtidy-devel Lapo Luchini libtidy0_99_0 Lapo Luchini lighttpdLapo Luchini monotoneLapo Luchini nanoLapo Luchini par Lapo Luchini pinfo Lapo Luchini rsync Lapo Luchini tidyLapo Luchini typespeed Lapo Luchini ucl Lapo Luchini upx Lapo Luchini whois Lapo Luchini I already have newer lighttpd and nano in Ports, and tidy was copied from Ports to start with (there hasn't been an upstream release since). Should I adopt these and mark the rest ORPHANED? Yaakov
Re: [SECURITY] lighttpd
Lapo? Ping? Are you still with us? On Aug 14 20:52, Yaakov (Cygwin/X) wrote: > On Thu, 2012-03-29 at 13:39 -0500, Yaakov (Cygwin/X) wrote: > > On 2012-03-29 09:58, Lapo Luchini wrote: > > > Yaakov (Cygwin/X) wrote: > > >> BLODA? > > > > > > Not that I know of: > > > > > > WindowsDefender is deactivated (and I checked the service is not > > > running), and only other stuff in the BLODA is "nVidia, some version" > > > but I can't really do much to avoid that. I wonder. > > > > So do I, because: > > > > >>> configure.ac:57: error: possibly undefined macro: AC_CHECK_HEADERS > > >>> configure.ac:71: error: possibly undefined macro: AC_DEFINE > > >>> configure.ac:108: error: possibly undefined macro: AC_CHECK_LIB > > >>> configure.ac:112: error: possibly undefined macro: AC_MSG_ERROR > > >>> autoreconf-2.68: /usr/bin/autoconf-2.68 failed with exit status: 1 > > >>> *** ERROR: autoreconf failed > > >> > > >> Then something is wrong with your installation or environment. I'll > > >> need your `cygcheck -srv' output. > > > > > > Same goes for a fresh install on real hardware (Win7 box in my office). > > > > Nothing obvious in the cygcheck. But as these macros are part of > > autoconf itself, if autoconf can't find them, it means that aclocal > > silently failed. In any case, this is an issue with your system > > (probably BLODA or rebase), not with cygport. > > Ping? lighttpd 1.4.31 is available now. > > > Yaakov Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: [SECURITY] lighttpd
On Thu, 2012-03-29 at 13:39 -0500, Yaakov (Cygwin/X) wrote: > On 2012-03-29 09:58, Lapo Luchini wrote: > > Yaakov (Cygwin/X) wrote: > >> BLODA? > > > > Not that I know of: > > > > WindowsDefender is deactivated (and I checked the service is not > > running), and only other stuff in the BLODA is "nVidia, some version" > > but I can't really do much to avoid that. I wonder. > > So do I, because: > > >>> configure.ac:57: error: possibly undefined macro: AC_CHECK_HEADERS > >>> configure.ac:71: error: possibly undefined macro: AC_DEFINE > >>> configure.ac:108: error: possibly undefined macro: AC_CHECK_LIB > >>> configure.ac:112: error: possibly undefined macro: AC_MSG_ERROR > >>> autoreconf-2.68: /usr/bin/autoconf-2.68 failed with exit status: 1 > >>> *** ERROR: autoreconf failed > >> > >> Then something is wrong with your installation or environment. I'll > >> need your `cygcheck -srv' output. > > > > Same goes for a fresh install on real hardware (Win7 box in my office). > > Nothing obvious in the cygcheck. But as these macros are part of > autoconf itself, if autoconf can't find them, it means that aclocal > silently failed. In any case, this is an issue with your system > (probably BLODA or rebase), not with cygport. Ping? lighttpd 1.4.31 is available now. Yaakov
Re: [SECURITY] lighttpd
On 2012-03-29 09:58, Lapo Luchini wrote: Yaakov (Cygwin/X) wrote: BLODA? Not that I know of: WindowsDefender is deactivated (and I checked the service is not running), and only other stuff in the BLODA is "nVidia, some version" but I can't really do much to avoid that. I wonder. So do I, because: configure.ac:57: error: possibly undefined macro: AC_CHECK_HEADERS configure.ac:71: error: possibly undefined macro: AC_DEFINE configure.ac:108: error: possibly undefined macro: AC_CHECK_LIB configure.ac:112: error: possibly undefined macro: AC_MSG_ERROR autoreconf-2.68: /usr/bin/autoconf-2.68 failed with exit status: 1 *** ERROR: autoreconf failed Then something is wrong with your installation or environment. I'll need your `cygcheck -srv' output. Same goes for a fresh install on real hardware (Win7 box in my office). Nothing obvious in the cygcheck. But as these macros are part of autoconf itself, if autoconf can't find them, it means that aclocal silently failed. In any case, this is an issue with your system (probably BLODA or rebase), not with cygport. Yaakov
Re: [SECURITY] lighttpd
Yaakov (Cygwin/X) wrote: >> PS: my Win7 cygwin needs rebaseall very very often. Still didn't >> check it >> through. > > BLODA? Not that I know of: WindowsDefender is deactivated (and I checked the service is not running), and only other stuff in the BLODA is "nVidia, some version" but I can't really do much to avoid that. I wonder. >> configure.ac:57: error: possibly undefined macro: AC_CHECK_HEADERS >> configure.ac:71: error: possibly undefined macro: AC_DEFINE >> configure.ac:108: error: possibly undefined macro: AC_CHECK_LIB >> configure.ac:112: error: possibly undefined macro: AC_MSG_ERROR >> autoreconf-2.68: /usr/bin/autoconf-2.68 failed with exit status: 1 >> *** ERROR: autoreconf failed > > Then something is wrong with your installation or environment. I'll > need your `cygcheck -srv' output. Same goes for a fresh install on real hardware (Win7 box in my office). (strangely enough: updating even a small package using setup.exe over WinXP over VirtualBox over ZFS over FreeBSD triggers a kernel panic in arc_reclaim_thread, so I can't upgrade that virtual box anymore) -- Lapo Luchini - http://lapo.it/ “Quantum key distribution in superposition of "insecure" and "unneeded".” (Chris Lee, "Ars Technica", 2010-09-07, http://bit.ly/ars-qkd) cygcheck.txt.bz2 Description: Binary data
Re: [SECURITY] lighttpd
On 2012-03-27 06:01, Lapo Luchini wrote: Yaakov (Cygwin/X) wrote: The attached .cygport and patch WFM. Do these not work for you? Nope, it's just the same as the 1.4.28 as found on CygPorts repository (and trivially-updated to 1.4.30). Didn't report it yet because I hadn't the time to check it on a different box, but here it goes: % cygport lighttpd-1.4.30-1 prep build Preparing lighttpd-1.4.30-1 Unpacking source lighttpd-1.4.30.tar.xz *** Info: applying patch 1.4.28-no-undefined.patch: patching file src/Makefile.am Hunk #1 succeeded at 89 (offset 1 line). Preparing working source directory *** Info: applying patch lighttpd-1.4.30-1.cygwin.patch: patching file CYGWIN-PATCHES/README patching file CYGWIN-PATCHES/setup.hint Compiling lighttpd-1.4.30-1 autoreconf-2.68: Entering directory `.' autoreconf-2.68: configure.ac: not using Gettext autoreconf-2.68: running: aclocal --force -I m4 autoreconf-2.68: configure.ac: tracing autoreconf-2.68: running: libtoolize --copy --force libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf-2.68: running: /usr/bin/autoconf-2.68 --force configure.ac:1: error: possibly undefined macro: dnl If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:57: error: possibly undefined macro: AC_CHECK_HEADERS configure.ac:71: error: possibly undefined macro: AC_DEFINE configure.ac:108: error: possibly undefined macro: AC_CHECK_LIB configure.ac:112: error: possibly undefined macro: AC_MSG_ERROR autoreconf-2.68: /usr/bin/autoconf-2.68 failed with exit status: 1 *** ERROR: autoreconf failed Then something is wrong with your installation or environment. I'll need your `cygcheck -srv' output. Yaakov
Re: [SECURITY] lighttpd
Yaakov (Cygwin/X) wrote: >> PS: my Win7 cygwin needs rebaseall very very often. Still didn't check >> it through. > > BLODA? Windows Defender, but I de-activated the online scan and (wrongly?) hoped this de-activated the hook. It probably doesn't, I'll try disabling the service as suggested in the ML, but in the meantime I'm using a VirtualBox+WinXP as a Cygwin build-box (BTW it's quite slower than real hardware, of course, but "feels" even slower than other Windows-native stuff that runs in there; didn't check in deep yet). > The attached .cygport and patch WFM. Do these not work for you? Nope, it's just the same as the 1.4.28 as found on CygPorts repository (and trivially-updated to 1.4.30). Didn't report it yet because I hadn't the time to check it on a different box, but here it goes: % cygport lighttpd-1.4.30-1 prep build >>> Preparing lighttpd-1.4.30-1 >>> Unpacking source lighttpd-1.4.30.tar.xz *** Info: applying patch 1.4.28-no-undefined.patch: patching file src/Makefile.am Hunk #1 succeeded at 89 (offset 1 line). >>> Preparing working source directory *** Info: applying patch lighttpd-1.4.30-1.cygwin.patch: patching file CYGWIN-PATCHES/README patching file CYGWIN-PATCHES/setup.hint >>> Compiling lighttpd-1.4.30-1 autoreconf-2.68: Entering directory `.' autoreconf-2.68: configure.ac: not using Gettext autoreconf-2.68: running: aclocal --force -I m4 autoreconf-2.68: configure.ac: tracing autoreconf-2.68: running: libtoolize --copy --force libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf-2.68: running: /usr/bin/autoconf-2.68 --force configure.ac:1: error: possibly undefined macro: dnl If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:57: error: possibly undefined macro: AC_CHECK_HEADERS configure.ac:71: error: possibly undefined macro: AC_DEFINE configure.ac:108: error: possibly undefined macro: AC_CHECK_LIB configure.ac:112: error: possibly undefined macro: AC_MSG_ERROR autoreconf-2.68: /usr/bin/autoconf-2.68 failed with exit status: 1 *** ERROR: autoreconf failed -- Lapo Luchini - http://lapo.it/
Re: [SECURITY] lighttpd
On Mon, 2012-02-27 at 22:33 +0100, Lapo Luchini wrote: > ...failing it; neither the current package nor cygwin-ports one upgrade > cleanly and I hadn't the time to work around it. Could you clarify? > If anyone has the time to do this long-awaited upgrade or wants to take > maintainership of the package altogether, feel free to step up and do it. > > Else, I will keep trying in the next days. The attached .cygport and patch WFM. Do these not work for you? > PS: my Win7 cygwin needs rebaseall very very often. Still didn't check > it through. BLODA? Yaakov --- origsrc/lighttpd-1.4.28/src/Makefile.am 2010-08-11 15:44:17.0 -0500 +++ src/lighttpd-1.4.28/src/Makefile.am 2010-08-22 16:50:18.999262800 -0500 @@ -88,7 +88,7 @@ lib_LTLIBRARIES += liblightcomp.la liblightcomp_la_SOURCES=$(common_src) liblightcomp_la_CFLAGS=$(AM_CFLAGS) $(LIBEV_CFLAGS) liblightcomp_la_LDFLAGS = -avoid-version -no-undefined -liblightcomp_la_LIBADD = $(PCRE_LIB) $(SSL_LIB) $(FAM_LIBS) $(LIBEV_LIBS) +liblightcomp_la_LIBADD = $(PCRE_LIB) $(SSL_LIB) $(FAM_LIBS) $(ATTR_LIB) $(LIBEV_LIBS) common_libadd = liblightcomp.la else src += $(common_src) lighttpd-1.4.30-1.cygport Description: application/cygport
Re: [SECURITY] lighttpd
Lapo Luchini wrote: > I will schedule an update-session for all my packages that needs it ...failing it; neither the current package nor cygwin-ports one upgrade cleanly and I hadn't the time to work around it. If anyone has the time to do this long-awaited upgrade or wants to take maintainership of the package altogether, feel free to step up and do it. Else, I will keep trying in the next days. PS: my Win7 cygwin needs rebaseall very very often. Still didn't check it through. -- Lapo Luchini - http://lapo.it/
Re: [SECURITY] lighttpd
Corinna Vinschen wrote: > FYI, I also pinged Lapo via PM and got no reply so far. If he doesn't > reply within the next 2 weeks, I guess we have to assume he's not with > us anymore :( ARGH, sorry! I seems I can't really rely on myself to monitor there mailing lists with proper enough care anymore (too much stuff to do/remember, I guess). But I'm still with the project fully, at least in heart and intentions. I will schedule an update-session for all my packages that needs it tomorrow morning (10-12 CET), then I'll try and find some type of reminder/alert to be more responsive in the future. (mhh, maybe some RSS based on some regular expression matching the mailing lists contents with my package's names in title or body) Oh and by the way, Corinna, thanks for the PM-ping, and sorry for the inconvenience. :( -- Lapo Luchini - http://lapo.it/
Re: [SECURITY] lighttpd
On Jan 27 04:21, Yaakov (Cygwin/X) wrote: > On Sun, 2011-12-18 at 18:13 -0600, Yaakov (Cygwin/X) wrote: > > Lapo, > > > > Cygwin's lighttpd is still at 1.4.20, which is over three years old. > > In the meantime, ten more releases have occurred, some of which > > (including today's) fix security issues. Please update lighttpd to > > 1.4.30 ASAP. > > Ping? FYI, I also pinged Lapo via PM and got no reply so far. If he doesn't reply within the next 2 weeks, I guess we have to assume he's not with us anymore :( Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: [SECURITY] lighttpd
On Sun, 2011-12-18 at 18:13 -0600, Yaakov (Cygwin/X) wrote: > Lapo, > > Cygwin's lighttpd is still at 1.4.20, which is over three years old. > In the meantime, ten more releases have occurred, some of which > (including today's) fix security issues. Please update lighttpd to > 1.4.30 ASAP. Ping? Yaakov
[SECURITY] lighttpd
Lapo, Cygwin's lighttpd is still at 1.4.20, which is over three years old. In the meantime, ten more releases have occurred, some of which (including today's) fix security issues. Please update lighttpd to 1.4.30 ASAP. Yaakov
[SECURITY] Lighttpd: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lapo, Here's another buffer overflow, this time affecting lighttpd's mod_fastcgi. Yaakov -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG/wUspiWmPGlmQSMRCAToAJ9rSJvRmjMQY6Qe2CGETyhU2/JsCACfa1Gq eD5QXRKCkA3RG9e0RIy6aRk= =Kpet -END PGP SIGNATURE- --- Begin Message --- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Lighttpd: Buffer overflow Date: September 27, 2007 Bugs: #191912 ID: 200709-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Lighttpd is vulnerable to the remote execution of arbitrary code. Background == Lighttpd is a lightweight HTTP web server. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-servers/lighttpd < 1.4.18 >= 1.4.18 Description === Mattias Bengtsson and Philip Olausson have discovered a buffer overflow vulnerability in the function fcgi_env_add() in the file mod_fastcgi.c when processing overly long HTTP headers. Impact == A remote attacker could send a specially crafted request to the vulnerable Lighttpd server, resulting in the remote execution of arbitrary code with privileges of the user running the web server. Note that mod_fastcgi is disabled in Gentoo's default configuration. Workaround == Edit the file /etc/lighttpd/lighttpd.conf and comment the following line: "include mod_fastcgi.conf" Resolution == All Lighttpd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.18" References == [ 1 ] CVE-2007-4727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4727 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG/Bo6uhJ+ozIKI5gRAjNlAJ93Hk2nbz+y+RuANQyU/fEblnLTTwCfZmqb E1Pc2dPmHp57HSTmvrfF7MY= =KK5K -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list --- End Message ---
Re: SECURITY: lighttpd
Lapo Luchini wrote: > I'll update it ASAP, thanks for the prod. BTW: the Windows partition of my laptop kinda died, so I can't use the spare time on the bus. I'll have to finish it on my main box, competing for free time with paid jobs... PS: anyway who is using lighttpd for anything other than a local-only installation (for which security issues are a bit moot) feel very free to send me personal emails and tell me to be faster, it will help :-P -- Lapo Luchini [EMAIL PROTECTED] (OpenPGP & X.509) www.lapo.it (Jabber, ICQ, MSN)
Re: SECURITY: lighttpd
Yaakov (Cygwin Ports) wrote: > Two vulnerabilities have been discovered in Lighttpd, each allowing for > a Denial of Service. > > Solution: upgrade to >= 1.4.14 (current is 1.4.9) Uh... whps. Is that mine? AFAIR yes, I'll update it ASAP, thanks for the prod. -- Lapo Luchini [EMAIL PROTECTED] (OpenPGP & X.509) www.lapo.it (Jabber, ICQ, MSN)
SECURITY: lighttpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Two vulnerabilities have been discovered in Lighttpd, each allowing for a Denial of Service. Solution: upgrade to >= 1.4.14 (current is 1.4.9) More information: http://security.gentoo.org/glsa/glsa-200705-07.xml http://bugs.gentoo.org/show_bug.cgi?id=174043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1870 Yaakov -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGP/YgpiWmPGlmQSMRCOI3AKCOjsZ0fLtQ1GnqAB+G4r+fUrt0swCfQmS0 5I5vf8ZmoC5s+ufh8pKEi5o= =e02T -END PGP SIGNATURE-
