diff --git a/CVE-2022-37797.patch b/CVE-2022-37797.patch new file mode 100644 index 0000000000000000000000000000000000000000..d5cc1975f1356800215e38da3090a8162747ca59 --- /dev/null +++ b/CVE-2022-37797.patch @@ -0,0 +1,31 @@ +From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Tue, 13 Sep 2022 05:51:02 +0000 +Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165) + +x-ref: + "mod_wstunnel null pointer dereference" + https://redmine.lighttpd.net/issues/3165 +--- + src/mod_wstunnel.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c +index 6d17d4d..97b89f0 100644 +--- a/src/mod_wstunnel.c ++++ b/src/mod_wstunnel.c +@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con + hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/ + hctx->conf = p->conf; /*(copies struct)*/ + hybivers = wstunnel_check_request(r, hctx); +- if (hybivers < 0) return HANDLER_FINISHED; ++ if (hybivers < 0) { ++ r->handler_module = NULL; ++ return HANDLER_FINISHED; ++ } + hctx->hybivers = hybivers; + if (0 == hybivers) { + DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00"); +-- +2.33.0 + diff --git a/lighttpd-1.4.53.tar.gz b/lighttpd-1.4.53.tar.gz deleted file mode 100644 index cbe7e36cf8572a92386ea3aac362bd5859f5e99e..0000000000000000000000000000000000000000 Binary files a/lighttpd-1.4.53.tar.gz and /dev/null differ diff --git a/lighttpd-1.4.45-defaultconf.patch b/lighttpd-1.4.56-defaultconf.patch similarity index 62% rename from lighttpd-1.4.45-defaultconf.patch rename to lighttpd-1.4.56-defaultconf.patch index 97d48ad836f782736c6a5a587c5db9dc944c698d..68fd07c7b16696ae2ee29c962e0f58968d786f26 100644 --- a/lighttpd-1.4.45-defaultconf.patch +++ b/lighttpd-1.4.56-defaultconf.patch @@ -1,25 +1,3 @@ ---- doc/config/lighttpd.conf~ 2014-03-12 11:40:36.000000000 -0500 -+++ doc/config/lighttpd.conf 2014-07-07 08:22:46.934838985 -0500 -@@ -417,7 +417,7 @@ - ## # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes) - ## # - ## # If you know you have RSA keys (standard), you can use: --## ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" -+## ssl.cipher-list = "PROFILE=SYSTEM" - ## # The more generic version (without the restriction to RSA keys) is - ## # ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" - ## # ---- doc/config/lighttpd.conf~ 2016-03-01 10:14:50.000000000 -0500 -+++ doc/config/lighttpd.conf 2016-03-01 10:17:59.194568947 -0500 -@@ -14,7 +14,7 @@ - ## chroot example aswell. - ## - var.log_root = "/var/log/lighttpd" --var.server_root = "/srv/www" -+var.server_root = "/var/www" - var.state_dir = "/var/run" - var.home_dir = "/var/lib/lighttpd" - var.conf_dir = "/etc/lighttpd" --- doc/config/lighttpd.conf.orig 2016-07-19 09:09:39.000000000 -0500 +++ doc/config/lighttpd.conf 2016-07-19 09:25:40.282577966 -0500 @@ -204,7 +204,9 @@ @@ -55,3 +33,36 @@ ## ####################################################################### +--- doc/config/lighttpd.conf~ 2020-04-27 10:48:12.000000000 -0500 ++++ doc/config/lighttpd.conf 2020-04-27 10:55:12.145316446 -0500 +@@ -90,7 +90,7 @@ + ## + ## Use IPv6? + ## +-server.use-ipv6 = "enable" ++#server.use-ipv6 = "enable" + + ## + ## bind to a specific IP +--- doc/config/lighttpd.conf~ 2020-10-26 14:23:23.000000000 -0500 ++++ doc/config/lighttpd.conf 2020-10-26 14:27:55.577840608 -0500 +@@ -14,8 +14,8 @@ + ## chroot example aswell. + ## + var.log_root = "/var/log/lighttpd" +-var.server_root = "/srv/www" +-var.state_dir = "/run" ++var.server_root = "/var/www" ++var.state_dir = "/run/lighttpd" + var.home_dir = "/var/lib/lighttpd" + var.conf_dir = "/etc/lighttpd" + +@@ -438,7 +438,7 @@ + ## + ## # Check your cipher list with: openssl ciphers -v '...' + ## # (use single quotes as your shell won't like ! in double quotes) +-## #ssl.cipher-list = "HIGH" # default ++## #ssl.cipher-list = "PROFILE=SYSTEM" + ## + ## # (recommended to accept only TLSv1.2 and TLSv1.3) + ## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") diff --git a/lighttpd-1.4.56.tar.gz b/lighttpd-1.4.56.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0c893e19f7f8d688d6f1633938bda7849a7d4a90 Binary files /dev/null and b/lighttpd-1.4.56.tar.gz differ diff --git a/lighttpd.spec b/lighttpd.spec index 65afeed7035c5ebc90159e5c2b465c8fc2998717..010800644237b8acdc8da24d4d0b147d5f310db1 100644 --- a/lighttpd.spec +++ b/lighttpd.spec @@ -19,17 +19,18 @@ %bcond_without systemd Summary: Lightning fast webserver with light system requirements Name: lighttpd -Version: 1.4.53 -Release: 2 +Version: 1.4.56 +Release: 1 License: BSD-3-Clause and OML and GPLv3 and GPLv2 URL: https://github.com/lighttpd/lighttpd1.4 -Source0: https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.53.tar.gz +Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz Source1: lighttpd.logrotate Source2: php.d-lighttpd.ini Source3: lighttpd.init Source4: lighttpd.service -Patch0: lighttpd-1.4.45-defaultconf.patch +Patch0: lighttpd-1.4.56-defaultconf.patch Patch1: CVE-2022-22707.patch +Patch2: CVE-2022-37797.patch Requires: %{name}-filesystem %if %{with systemd} Requires(post): systemd @@ -105,9 +106,10 @@ for the lighttpd server including the correct permissions for the directories. %prep -%setup -q -n lighttpd1.4-%{name}-%{version} +%setup -q %patch0 -p0 -b .defaultconf %patch1 -p1 +%patch2 -p1 %build autoreconf -if @@ -254,6 +256,9 @@ fi %attr(0700, lighttpd, lighttpd) %dir %{webroot}/ %changelog +* Wed Sep 21 2022 yaoxin - 1.4.56-1 +- Update to 1.4.56 and fix CVE-2022-37797 + * Fri Jan 14 2022 yaoxin - 1.4.53-2 - Fix CVE-2022-22707