up to 1.4.36

Important changes:

- [ssl] disable SSL3.0 by default
- escape all strings for logging
- fix segfault when temp file for upload couldn't be created (found by coverity)
- changes to the internal API for buffers, chunks and more; 3rd party plugins are likely to break

ther fixes
- fix hex escape in accesslog (fixes #2559) CVE-2015-3200

diff --git a/env-documentroot.patch b/env-documentroot.patch
index eea738e248916ea92c21df69e2cf8a0b35d3eebd..e225dc3e26e9f18548cc64f060151c43434d2279 100644 (file)
--- a/env-documentroot.patch
+++ b/env-documentroot.patch
@@ -2,16 +2,14 @@ revert:
 
 -  * [*cgi] Use physical base dir (alias, userdir) as DOCUMENT_ROOT in cgi environments (fixes #2216)
  
-Index: src/mod_fastcgi.c
-===================================================================
---- src/mod_fastcgi.c  (revision 2794)
-+++ src/mod_fastcgi.c  (revision 2793)
-@@ -1968,7 +1968,7 @@
-                       if (!buffer_is_empty(host->docroot)) {
-                               buffer_copy_string_buffer(p->path, host->docroot);
+--- lighttpd-1.4.36/src/mod_fastcgi.c~ 2015-07-26 18:30:29.000000000 +0300
++++ lighttpd-1.4.36/src/mod_fastcgi.c  2015-07-26 18:31:50.285226477 +0300
+@@ -1918,7 +1918,7 @@
+                       if (!buffer_string_is_empty(host->docroot)) {
+                               buffer_copy_buffer(p->path, host->docroot);
                        } else {
--                              buffer_copy_string_buffer(p->path, con->physical.basedir);
-+                              buffer_copy_string_buffer(p->path, con->physical.doc_root);
+-                              buffer_copy_buffer(p->path, con->physical.basedir);
++                              buffer_copy_buffer(p->path, con->physical.doc_root);
                        }
                        buffer_append_string_buffer(p->path, con->request.pathinfo);
                        FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("PATH_TRANSLATED"), CONST_BUF_LEN(p->path)),con)
@@ -24,24 +22,22 @@ Index: src/mod_fastcgi.c
        }
  
        if (host->strip_request_uri->used > 1) {
-@@ -3273,7 +3273,6 @@
+@@ -3108,7 +3108,6 @@
                                 */
  
-                               buffer_copy_string_buffer(con->physical.doc_root, host->docroot);
--                              buffer_copy_string_buffer(con->physical.basedir, host->docroot);
+                               buffer_copy_buffer(con->physical.doc_root, host->docroot);
+-                              buffer_copy_buffer(con->physical.basedir, host->docroot);
  
-                               buffer_copy_string_buffer(con->physical.path, host->docroot);
+                               buffer_copy_buffer(con->physical.path, host->docroot);
                                buffer_append_string_buffer(con->physical.path, con->uri.path);
-Index: src/mod_scgi.c
-===================================================================
---- src/mod_scgi.c     (revision 2794)
-+++ src/mod_scgi.c     (revision 2793)
-@@ -1558,7 +1558,7 @@
-               if (!buffer_is_empty(host->docroot)) {
-                       buffer_copy_string_buffer(p->path, host->docroot);
+--- lighttpd-1.4.36/src/mod_scgi.c~    2015-07-26 18:30:29.000000000 +0300
++++ lighttpd-1.4.36/src/mod_scgi.c     2015-07-26 18:33:12.406160926 +0300
+@@ -1547,7 +1547,7 @@
+               if (!buffer_string_is_empty(host->docroot)) {
+                       buffer_copy_buffer(p->path, host->docroot);
                } else {
--                      buffer_copy_string_buffer(p->path, con->physical.basedir);
-+                      buffer_copy_string_buffer(p->path, con->physical.doc_root);
+-                      buffer_copy_buffer(p->path, con->physical.basedir);
++                      buffer_copy_buffer(p->path, con->physical.doc_root);
                }
                buffer_append_string_buffer(p->path, con->request.pathinfo);
                scgi_env_add(p->scgi_env, CONST_STR_LEN("PATH_TRANSLATED"), CONST_BUF_LEN(p->path));
@@ -56,8 +52,8 @@ Index: src/mod_scgi.c
        if (!buffer_is_equal(con->request.uri, con->request.orig_uri)) {
 Index: src/mod_cgi.c
 ===================================================================
---- src/mod_cgi.c      (revision 2794)
-+++ src/mod_cgi.c      (revision 2793)
+--- ./src/mod_cgi.c    (revision 2794)
++++ ./src/mod_cgi.c    (revision 2793)
 @@ -928,7 +928,7 @@
                cgi_env_add(&env, CONST_STR_LEN("CONTENT_LENGTH"), buf, strlen(buf));
                cgi_env_add(&env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(con->physical.path));

diff --git a/lighttpd-branding.patch b/lighttpd-branding.patch
index 9fdf8a5681c31949a202bf6129ea1330e2b480e1..bcb01c5088f9e89fa315b8ce4bef569678a6cf4b 100644 (file)
--- a/lighttpd-branding.patch
+++ b/lighttpd-branding.patch
@@ -1,11 +1,11 @@
---- lighttpd-1.4.22/src/response.c~    2009-04-17 00:50:21.000000000 +0300
-+++ lighttpd-1.4.22/src/response.c     2009-04-17 00:51:22.174367972 +0300
-@@ -105,7 +105,7 @@
+--- lighttpd-1.4.36/src/response.c~    2015-07-26 13:36:36.000000000 +0300
++++ lighttpd-1.4.36/src/response.c     2015-07-26 18:29:48.302220417 +0300
+@@ -109,7 +109,7 @@
  
        if (!have_server) {
                if (buffer_is_empty(con->conf.server_tag)) {
 -                      buffer_append_string_len(b, CONST_STR_LEN("\r\nServer: " PACKAGE_DESC));
 +                      buffer_append_string_len(b, CONST_STR_LEN("\r\nServer: " PACKAGE_DESC " (PLD Linux)"));
-               } else if (con->conf.server_tag->used > 1) {
+               } else if (!buffer_string_is_empty(con->conf.server_tag)) {
                        buffer_append_string_len(b, CONST_STR_LEN("\r\nServer: "));
                        buffer_append_string_encoded(b, CONST_BUF_LEN(con->conf.server_tag), ENCODING_HTTP_HEADER);

diff --git a/lighttpd.spec b/lighttpd.spec
index c2c48943e7dbd5ddcd656aa2c317a4268b6d64e8..ba6cc84006a10873b3c82d257215279b83eb8f04 100644 (file)
--- a/lighttpd.spec
+++ b/lighttpd.spec
@@ -29,12 +29,12 @@
 Summary:       Fast and light HTTP server
 Summary(pl.UTF-8):     Szybki i lekki serwer HTTP
 Name:          lighttpd
-Version:       1.4.35
-Release:       6
+Version:       1.4.36
+Release:       1
 License:       BSD
 Group:         Networking/Daemons/HTTP
-Source0:       http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.bz2
-# Source0-md5: f7a88130ee9984b421ad8aa80629750a
+Source0:       http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.xz
+# Source0-md5: 1843daffcb018aa528f6d15d43544654
 Source1:       %{name}.init
 Source2:       %{name}.conf
 Source3:       %{name}.user
@@ -131,8 +131,10 @@ BuildRequires:     pkgconfig
 BuildRequires: rpm >= 4.4.9-56
 BuildRequires: rpmbuild(macros) >= 1.647
 %{?with_webdav_props:BuildRequires:    sqlite3-devel}
+BuildRequires: tar >= 1:1.22
 %{?with_valgrind:BuildRequires:        valgrind}
 BuildRequires: which
+BuildRequires: xz
 BuildRequires: zlib-devel
 Requires(post,preun):  /sbin/chkconfig
 Requires(postun):      /usr/sbin/groupdel
@@ -840,7 +842,7 @@ Plik monitrc do monitorowania serwera www lighttpd.
 %patch3 -p1
 %{?with_deflate:%patch5 -p1}
 %patch6 -p1
-%patch7 -p0
+%patch7 -p1
 
 rm -f src/mod_ssi_exprparser.h # bad patching: should be removed by is emptied instead