232278 – www/lighttpd: update to 1.4.51

Bug 232278 - www/lighttpd: update to 1.4.51

Summary: www/lighttpd: update to 1.4.51

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Steve Wills

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-15 12:03 UTC by Piotr Kubaj
Modified:	2018-11-09 19:33 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	pkubaj: maintainer-feedback+ pkubaj: merge-quarterly?

Attachments
patch (1002 bytes, patch) 2018-10-15 12:03 UTC, Piotr Kubaj	pkubaj: maintainer-approval+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Piotr Kubaj freebsd_committer

2018-10-15 12:03:38 UTC

Created attachment 198170 [details]
patch

Update port to newly released 1.4.51.

Tested on 11-STABLE.

NOTE: this release fixes some *security* bugs, so MHF is recommended.

Comment 1 Steve Wills freebsd_committer

2018-10-19 00:37:06 UTC

Can you please point to the security issue(s)? Would be good to have a VuXML too, but I can do it if you want.

Comment 2 Piotr Kubaj freebsd_committer

2018-10-19 08:24:50 UTC

(In reply to Steve Wills from comment #1)
I don't know myself what security fixes are in this release.

The only info I have is that there are some. That's why I didn't send VuXML.

Comment 3 Steve Wills freebsd_committer

2018-10-19 12:03:34 UTC

(In reply to Piotr Kubaj from comment #2)
I managed to find these:

https://www.lighttpd.net/2018/10/14/1.4.51/

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/df8e4f95614e476276a55e34da2aa8b00b1148e9/diff/src/request.c

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7e20dc6a4241fd01487d7abaf1492c1d2581c7cb/diff/src/mod_userdir.c

but there's no CVE or other announcement. We could create a VuXML entry anyway based on these, but I'm not sure what we'd say except what's in those links.

Comment 4 Piotr Kubaj freebsd_committer

2018-10-19 12:28:45 UTC

(In reply to Steve Wills from comment #3)
FreeBSD has getpwnam(), so the 2nd patch doesn't matter for FreeBSD.

But IMO use-after-free fixes are enough for MFC (and we can put that to VuXML entry).

Comment 5 commit-hook freebsd_committer

2018-11-09 10:55:47 UTC

A commit references this bug:

Author: dinoex
Date: Fri Nov  9 10:54:54 UTC 2018
New revision: 484509
URL: https://svnweb.freebsd.org/changeset/ports/484509

Log:
  - lighttpd - use-after-free vulnerabilities
  PR:		232278

Changes:
  head/security/vuxml/vuln.xml

Comment 6 commit-hook freebsd_committer

2018-11-09 19:32:01 UTC

A commit references this bug:

Author: swills
Date: Fri Nov  9 19:30:59 UTC 2018
New revision: 484541
URL: https://svnweb.freebsd.org/changeset/ports/484541

Log:
  www/lighttpd: update to 1.4.51

  PR:		232278
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  MFH:		2018Q4
  Security:	92a6efd0-e40d-11e8-ada4-408d5cf35399

Changes:
  head/www/lighttpd/Makefile
  head/www/lighttpd/distinfo

Comment 7 commit-hook freebsd_committer

2018-11-09 19:33:05 UTC

A commit references this bug:

Author: swills
Date: Fri Nov  9 19:32:10 UTC 2018
New revision: 484542
URL: https://svnweb.freebsd.org/changeset/ports/484542

Log:
  MFH: r484541

  www/lighttpd: update to 1.4.51

  PR:		232278
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  Security:	92a6efd0-e40d-11e8-ada4-408d5cf35399
  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2018Q4/
  branches/2018Q4/www/lighttpd/Makefile
  branches/2018Q4/www/lighttpd/distinfo

Comment 8 Steve Wills freebsd_committer

2018-11-09 19:33:21 UTC

Committed, thanks!