Bug 232278 - www/lighttpd: update to 1.4.51
Summary: www/lighttpd: update to 1.4.51
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Steve Wills
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-15 12:03 UTC by Piotr Kubaj
Modified: 2018-11-09 19:33 UTC (History)
2 users (show)

See Also:
pkubaj: maintainer-feedback+
pkubaj: merge-quarterly?


Attachments
patch (1002 bytes, patch)
2018-10-15 12:03 UTC, Piotr Kubaj
pkubaj: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj 2018-10-15 12:03:38 UTC
Created attachment 198170 [details]
patch

Update port to newly released 1.4.51.

Tested on 11-STABLE.

NOTE: this release fixes some *security* bugs, so MHF is recommended.
Comment 1 Steve Wills freebsd_committer 2018-10-19 00:37:06 UTC
Can you please point to the security issue(s)? Would be good to have a VuXML too, but I can do it if you want.
Comment 2 Piotr Kubaj 2018-10-19 08:24:50 UTC
(In reply to Steve Wills from comment #1)
I don't know myself what security fixes are in this release.

The only info I have is that there are some. That's why I didn't send VuXML.
Comment 3 Steve Wills freebsd_committer 2018-10-19 12:03:34 UTC
(In reply to Piotr Kubaj from comment #2)
I managed to find these:

https://www.lighttpd.net/2018/10/14/1.4.51/

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/df8e4f95614e476276a55e34da2aa8b00b1148e9/diff/src/request.c

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7e20dc6a4241fd01487d7abaf1492c1d2581c7cb/diff/src/mod_userdir.c

but there's no CVE or other announcement. We could create a VuXML entry anyway based on these, but I'm not sure what we'd say except what's in those links.
Comment 4 Piotr Kubaj 2018-10-19 12:28:45 UTC
(In reply to Steve Wills from comment #3)
FreeBSD has getpwnam(), so the 2nd patch doesn't matter for FreeBSD.

But IMO use-after-free fixes are enough for MFC (and we can put that to VuXML entry).
Comment 5 commit-hook freebsd_committer 2018-11-09 10:55:47 UTC
A commit references this bug:

Author: dinoex
Date: Fri Nov  9 10:54:54 UTC 2018
New revision: 484509
URL: https://svnweb.freebsd.org/changeset/ports/484509

Log:
  - lighttpd - use-after-free vulnerabilities
  PR:		232278

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer 2018-11-09 19:32:01 UTC
A commit references this bug:

Author: swills
Date: Fri Nov  9 19:30:59 UTC 2018
New revision: 484541
URL: https://svnweb.freebsd.org/changeset/ports/484541

Log:
  www/lighttpd: update to 1.4.51

  PR:		232278
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  MFH:		2018Q4
  Security:	92a6efd0-e40d-11e8-ada4-408d5cf35399

Changes:
  head/www/lighttpd/Makefile
  head/www/lighttpd/distinfo
Comment 7 commit-hook freebsd_committer 2018-11-09 19:33:05 UTC
A commit references this bug:

Author: swills
Date: Fri Nov  9 19:32:10 UTC 2018
New revision: 484542
URL: https://svnweb.freebsd.org/changeset/ports/484542

Log:
  MFH: r484541

  www/lighttpd: update to 1.4.51

  PR:		232278
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  Security:	92a6efd0-e40d-11e8-ada4-408d5cf35399
  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2018Q4/
  branches/2018Q4/www/lighttpd/Makefile
  branches/2018Q4/www/lighttpd/distinfo
Comment 8 Steve Wills freebsd_committer 2018-11-09 19:33:21 UTC
Committed, thanks!