Bug 232278

Summary: www/lighttpd: update to 1.4.51
Product: Ports & Packages Reporter: Piotr Kubaj <pkubaj>
Component: Individual Port(s)Assignee: Steve Wills <swills>
Status: Closed FIXED    
Severity: Affects Only Me CC: dinoex, lantw44
Priority: --- Flags: pkubaj: maintainer-feedback+
pkubaj: merge-quarterly?
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch pkubaj: maintainer-approval+

Description Piotr Kubaj freebsd_committer freebsd_triage 2018-10-15 12:03:38 UTC 
Created attachment 198170 [details]
patch

Update port to newly released 1.4.51.

Tested on 11-STABLE.

NOTE: this release fixes some *security* bugs, so MHF is recommended.
Comment 1 Steve Wills freebsd_committer freebsd_triage 2018-10-19 00:37:06 UTC 
Can you please point to the security issue(s)? Would be good to have a VuXML too, but I can do it if you want.
Comment 2 Piotr Kubaj freebsd_committer freebsd_triage 2018-10-19 08:24:50 UTC 
(In reply to Steve Wills from comment #1)
I don't know myself what security fixes are in this release.

The only info I have is that there are some. That's why I didn't send VuXML.
Comment 3 Steve Wills freebsd_committer freebsd_triage 2018-10-19 12:03:34 UTC 
(In reply to Piotr Kubaj from comment #2)
I managed to find these:

https://www.lighttpd.net/2018/10/14/1.4.51/

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/df8e4f95614e476276a55e34da2aa8b00b1148e9/diff/src/request.c

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7e20dc6a4241fd01487d7abaf1492c1d2581c7cb/diff/src/mod_userdir.c

but there's no CVE or other announcement. We could create a VuXML entry anyway based on these, but I'm not sure what we'd say except what's in those links.
Comment 4 Piotr Kubaj freebsd_committer freebsd_triage 2018-10-19 12:28:45 UTC 
(In reply to Steve Wills from comment #3)
FreeBSD has getpwnam(), so the 2nd patch doesn't matter for FreeBSD.

But IMO use-after-free fixes are enough for MFC (and we can put that to VuXML entry).
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-11-09 10:55:47 UTC 
A commit references this bug:

Author: dinoex
Date: Fri Nov  9 10:54:54 UTC 2018
New revision: 484509
URL: https://svnweb.freebsd.org/changeset/ports/484509

Log:
  - lighttpd - use-after-free vulnerabilities
  PR:		232278

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-11-09 19:32:01 UTC 
A commit references this bug:

Author: swills
Date: Fri Nov  9 19:30:59 UTC 2018
New revision: 484541
URL: https://svnweb.freebsd.org/changeset/ports/484541

Log:
  www/lighttpd: update to 1.4.51

  PR:		232278
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  MFH:		2018Q4
  Security:	92a6efd0-e40d-11e8-ada4-408d5cf35399

Changes:
  head/www/lighttpd/Makefile
  head/www/lighttpd/distinfo
Comment 7 commit-hook freebsd_committer freebsd_triage 2018-11-09 19:33:05 UTC 
A commit references this bug:

Author: swills
Date: Fri Nov  9 19:32:10 UTC 2018
New revision: 484542
URL: https://svnweb.freebsd.org/changeset/ports/484542

Log:
  MFH: r484541

  www/lighttpd: update to 1.4.51

  PR:		232278
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  Security:	92a6efd0-e40d-11e8-ada4-408d5cf35399
  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2018Q4/
  branches/2018Q4/www/lighttpd/Makefile
  branches/2018Q4/www/lighttpd/distinfo
Comment 8 Steve Wills freebsd_committer freebsd_triage 2018-11-09 19:33:21 UTC 
Committed, thanks!