232278 2018-10-15 12:03:38 +0000 www/lighttpd: update to 1.4.51 2018-11-09 19:33:21 +0000 1 1 1 Unclassified Ports & Packages Individual Port(s) Latest Any Any Closed FIXED --- Affects Only Me --- 1 pkubaj swills dinoex lantw44 oldest_to_newest 1016189 0 198170 pkubaj 2018-10-15 12:03:38 +0000 Created attachment 198170 patch Update port to newly released 1.4.51. Tested on 11-STABLE. NOTE: this release fixes some *security* bugs, so MHF is recommended. 1016879 1 swills 2018-10-19 00:37:06 +0000 Can you please point to the security issue(s)? Would be good to have a VuXML too, but I can do it if you want. 1016924 2 pkubaj 2018-10-19 08:24:50 +0000 (In reply to Steve Wills from comment #1) I don't know myself what security fixes are in this release. The only info I have is that there are some. That's why I didn't send VuXML. 1016945 3 swills 2018-10-19 12:03:34 +0000 (In reply to Piotr Kubaj from comment #2) I managed to find these: https://www.lighttpd.net/2018/10/14/1.4.51/ https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/df8e4f95614e476276a55e34da2aa8b00b1148e9/diff/src/request.c https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7e20dc6a4241fd01487d7abaf1492c1d2581c7cb/diff/src/mod_userdir.c but there's no CVE or other announcement. We could create a VuXML entry anyway based on these, but I'm not sure what we'd say except what's in those links. 1016950 4 pkubaj 2018-10-19 12:28:45 +0000 (In reply to Steve Wills from comment #3) FreeBSD has getpwnam(), so the 2nd patch doesn't matter for FreeBSD. But IMO use-after-free fixes are enough for MFC (and we can put that to VuXML entry). 1020923 5 commit-hook 2018-11-09 10:55:47 +0000 A commit references this bug: Author: dinoex Date: Fri Nov 9 10:54:54 UTC 2018 New revision: 484509 URL: https://svnweb.freebsd.org/changeset/ports/484509 Log: - lighttpd - use-after-free vulnerabilities PR: 232278 Changes: head/security/vuxml/vuln.xml 1021018 6 commit-hook 2018-11-09 19:32:01 +0000 A commit references this bug: Author: swills Date: Fri Nov 9 19:30:59 UTC 2018 New revision: 484541 URL: https://svnweb.freebsd.org/changeset/ports/484541 Log: www/lighttpd: update to 1.4.51 PR: 232278 Submitted by: Piotr Kubaj <pkubaj@anongoth.pl> (maintainer) MFH: 2018Q4 Security: 92a6efd0-e40d-11e8-ada4-408d5cf35399 Changes: head/www/lighttpd/Makefile head/www/lighttpd/distinfo 1021019 7 commit-hook 2018-11-09 19:33:05 +0000 A commit references this bug: Author: swills Date: Fri Nov 9 19:32:10 UTC 2018 New revision: 484542 URL: https://svnweb.freebsd.org/changeset/ports/484542 Log: MFH: r484541 www/lighttpd: update to 1.4.51 PR: 232278 Submitted by: Piotr Kubaj <pkubaj@anongoth.pl> (maintainer) Security: 92a6efd0-e40d-11e8-ada4-408d5cf35399 Approved by: ports-secteam (implicit) Changes: _U branches/2018Q4/ branches/2018Q4/www/lighttpd/Makefile branches/2018Q4/www/lighttpd/distinfo 1021020 8 swills 2018-11-09 19:33:21 +0000 Committed, thanks! 198170 2018-10-15 12:03:38 +0000 2018-10-15 12:04:03 +0000 patch lighttpd.patch text/plain 1002 pkubaj SW5kZXg6IE1ha2VmaWxlCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIE1ha2VmaWxlCShyZXZpc2lvbiA0ODIxNTIp CisrKyBNYWtlZmlsZQkod29ya2luZyBjb3B5KQpAQCAtMiw3ICsyLDcgQEAKICMgJEZyZWVCU0Qk CiAKIFBPUlROQU1FPz0JbGlnaHR0cGQKLVBPUlRWRVJTSU9OPQkxLjQuNTAKK1BPUlRWRVJTSU9O PQkxLjQuNTEKIENBVEVHT1JJRVM/PQl3d3cKIE1BU1RFUl9TSVRFUz89CWh0dHA6Ly9kb3dubG9h ZC5saWdodHRwZC5uZXQvbGlnaHR0cGQvcmVsZWFzZXMtMS40LngvCiAKSW5kZXg6IGRpc3RpbmZv Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIGRpc3RpbmZvCShyZXZpc2lvbiA0ODIxNTIpCisrKyBkaXN0aW5mbwko d29ya2luZyBjb3B5KQpAQCAtMSw1ICsxLDUgQEAKLVRJTUVTVEFNUCA9IDE1MzQxODk0MzYKLVNI QTI1NiAobGlnaHR0cGQtMS40LjUwLnRhci54eikgPSAyOTM3ODMxMmQ4ODg3Y2JjMTRmZmU4YTdm YWRlZjJkNWEwOGM3ZTdlMWJlOTQyNzk1MTQyMzQ2YWQ5NTYyOWViCi1TSVpFIChsaWdodHRwZC0x LjQuNTAudGFyLnh6KSA9IDcxODQ4MAorVElNRVNUQU1QID0gMTUzOTYwNDE4NAorU0hBMjU2IChs aWdodHRwZC0xLjQuNTEudGFyLnh6KSA9IDJhZjlmZGIyNjVkMWYwMjViZmE2MzRlMTM3NzAyMzk3 MTJlY2JkNTg1ZTQ5NzViODIyNmVkZjFkZjc0ZTljODIKK1NJWkUgKGxpZ2h0dHBkLTEuNC41MS50 YXIueHopID0gNzIzMjY4CiBTSEEyNTYgKGxpZ2h0dHBkLTEuNC4yNl9tb2RfaDI2NF9zdHJlYW1p bmctMi4yLjkucGF0Y2gpID0gZGM5YmQ2ZTI2NzU1Y2MyZTNjY2Y2ZWFmOGNjODllNWQ2OTdmNWE4 NzZmNzEzMThiZTY3YjI4MjI1MzY4ZmQ0ZQogU0laRSAobGlnaHR0cGQtMS40LjI2X21vZF9oMjY0 X3N0cmVhbWluZy0yLjIuOS5wYXRjaCkgPSAyNDIwMzcK