diff --git a/492773a20f8a1deb1c94e25d40023970dd9608a1.patch b/492773a20f8a1deb1c94e25d40023970dd9608a1.patch deleted file mode 100644 index 1be7f43b78a06cff0f716743b8f89d07139f1f31..0000000000000000000000000000000000000000 --- a/492773a20f8a1deb1c94e25d40023970dd9608a1.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 492773a20f8a1deb1c94e25d40023970dd9608a1 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Sun, 5 Dec 2021 07:50:17 -0500 -Subject: [PATCH] [core] fix trace issued for loading mod_auth (fixes #3121) - -fix trace issued for loading mod_auth after dynamic modules - -x-ref: - "Curious message on startup with version 1.4.63" - https://redmine.lighttpd.net/boards/2/topics/10182 - "mod_auth warning on startup" - https://redmine.lighttpd.net/issues/3121 ---- - src/configfile.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/src/configfile.c b/src/configfile.c -index 5760bb43..033f2c46 100644 ---- a/src/configfile.c -+++ b/src/configfile.c -@@ -369,6 +369,7 @@ static void config_compat_module_load (server *srv) { - int contains_mod_auth = 0; - int prepend_mod_auth = 0; - int prepend_mod_vhostdb = 0; -+ const char *dyn_name = NULL; - - for (uint32_t i = 0; i < srv->srvconf.modules->used; ++i) { - buffer *m = &((data_string *)srv->srvconf.modules->data[i])->value; -@@ -390,8 +391,15 @@ static void config_compat_module_load (server *srv) { - else if (buffer_eq_slen(m, CONST_STR_LEN("mod_wolfssl"))) - append_mod_openssl = 0; - else if (0 == strncmp(m->ptr, "mod_auth", sizeof("mod_auth")-1)) { -- if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth"))) -- contains_mod_auth = 1; -+ if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth"))) { -+ if (!contains_mod_auth) { -+ contains_mod_auth = 1; -+ if (dyn_name) -+ log_error(srv->errh, __FILE__, __LINE__, -+ "Warning: mod_auth should be listed in server.modules" -+ " before dynamic backends such as %s", dyn_name); -+ } -+ } - else if (!contains_mod_auth) - prepend_mod_auth = 1; - -@@ -422,11 +430,8 @@ static void config_compat_module_load (server *srv) { - sizeof("mod_sockproxy")-1) - || 0 == strncmp(m->ptr, "mod_wstunnel", - sizeof("mod_wstunnel")-1)) { -- if (!contains_mod_auth) { -- log_error(srv->errh, __FILE__, __LINE__, -- "Warning: mod_auth should be listed in server.modules before " -- "dynamic backends such as %s", m->ptr); -- } -+ if (NULL == dyn_name) -+ dyn_name = m->ptr; - } - } - diff --git a/5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch b/5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch deleted file mode 100644 index 1ee5501cb600f27a2570a7d6690958b6357127da..0000000000000000000000000000000000000000 --- a/5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5a257fab511225bbfa56b4f1a8b2bb7085f96478 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Wed, 8 Dec 2021 18:42:31 -0500 -Subject: [PATCH] [core] make setrlimit() warn, not fatal - -(thx limb) - -make setrlimit() issue warning on error, not fatal, -and add suggesting to configure SELinux permissions ---- - src/server.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/server.c b/src/server.c -index f2ff7b73..beca364a 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -1357,7 +1357,8 @@ static int server_main_setup (server * const srv, int argc, char **argv) { - - if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) { - log_perror(srv->errh, __FILE__, __LINE__, "setrlimit()"); -- return -1; -+ log_error(srv->errh, __FILE__, __LINE__, "setrlimit() may need root to run once: setsebool -P httpd_setrlimit on"); -+ use_rlimit = 0; - } - } - diff --git a/CVE-2022-22707.patch b/CVE-2022-22707.patch deleted file mode 100644 index c1bc180e61c5a3b74c55760c4c13423020e0f20e..0000000000000000000000000000000000000000 --- a/CVE-2022-22707.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001 -From: povcfe -Date: Wed, 5 Jan 2022 11:11:09 +0000 -Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) - -(thx povcfe) - -(edited: gstrauss) - -There is a potential remote denial of service in lighttpd mod_extforward -under specific, non-default and uncommon 32-bit lighttpd mod_extforward -configurations. - -Under specific, non-default and uncommon lighttpd mod_extforward -configurations, a remote attacker can trigger a 4-byte out-of-bounds -write of value '-1' to the stack. This is not believed to be exploitable -in any way beyond triggering a crash of the lighttpd server on systems -where the lighttpd server has been built 32-bit and with compiler flags -which enable a stack canary -- gcc/clang -fstack-protector-strong or --fstack-protector-all, but bug not visible with only -fstack-protector. - -With standard lighttpd builds using -O2 optimization on 64-bit x86_64, -this bug has not been observed to cause adverse behavior, even with -gcc/clang -fstack-protector-strong. - -For the bug to be reachable, the user must be using a non-default -lighttpd configuration which enables mod_extforward and configures -mod_extforward to accept and parse the "Forwarded" header from a trusted -proxy. At this time, support for RFC7239 Forwarded is not common in CDN -providers or popular web server reverse proxies. It bears repeating that -for the user to desire to configure lighttpd mod_extforward to accept -"Forwarded", the user must also be using a trusted proxy (in front of -lighttpd) which understands and actively modifies the "Forwarded" header -sent to lighttpd. - -lighttpd natively supports RFC7239 "Forwarded" -hiawatha natively supports RFC7239 "Forwarded" - -nginx can be manually configured to add a "Forwarded" header -https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ - -A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) -in front of another 32-bit lighttpd will detect and reject a malicious -"Forwarded" request header, thereby thwarting an attempt to trigger -this bug in an upstream 32-bit lighttpd. - -The following servers currently do not natively support RFC7239 Forwarded: -nginx -apache2 -caddy -node.js -haproxy -squid -varnish-cache -litespeed - -Given the general dearth of support for RFC7239 Forwarded in popular -CDNs and web server reverse proxies, and given the prerequisites in -lighttpd mod_extforward needed to reach this bug, the number of lighttpd -servers vulnerable to this bug is estimated to be vanishingly small. -Large systems using reverse proxies are likely running 64-bit lighttpd, -which is not known to be adversely affected by this bug. - -In the future, it is desirable for more servers to implement RFC7239 -Forwarded. lighttpd developers would like to thank povcfe for reporting -this bug so that it can be fixed before more CDNs and web servers -implement RFC7239 Forwarded. - -x-ref: - "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" - https://redmine.lighttpd.net/issues/3134 - (not yet written or published) - CVE-2022-22707 ---- - src/mod_extforward.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/mod_extforward.c b/src/mod_extforward.c -index 733231fd2..1a04befa6 100644 ---- a/src/mod_extforward.c -+++ b/src/mod_extforward.c -@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c - while (s[i] == ' ' || s[i] == '\t') ++i; - if (s[i] == ';') { ++i; continue; } - if (s[i] == ',') { -- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; -+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; - offsets[++j] = -1; /*("offset" separating params from next proxy)*/ - ++i; - continue; diff --git a/CVE-2022-37797.patch b/CVE-2022-37797.patch deleted file mode 100644 index d5cc1975f1356800215e38da3090a8162747ca59..0000000000000000000000000000000000000000 --- a/CVE-2022-37797.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Tue, 13 Sep 2022 05:51:02 +0000 -Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165) - -x-ref: - "mod_wstunnel null pointer dereference" - https://redmine.lighttpd.net/issues/3165 ---- - src/mod_wstunnel.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c -index 6d17d4d..97b89f0 100644 ---- a/src/mod_wstunnel.c -+++ b/src/mod_wstunnel.c -@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con - hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/ - hctx->conf = p->conf; /*(copies struct)*/ - hybivers = wstunnel_check_request(r, hctx); -- if (hybivers < 0) return HANDLER_FINISHED; -+ if (hybivers < 0) { -+ r->handler_module = NULL; -+ return HANDLER_FINISHED; -+ } - hctx->hybivers = hybivers; - if (0 == hybivers) { - DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00"); --- -2.33.0 - diff --git a/lighttpd-1.4.63.tar.gz b/lighttpd-1.4.63.tar.gz deleted file mode 100644 index 4bcde1aba12ef1e889a09bf44850679c6638f9a3..0000000000000000000000000000000000000000 Binary files a/lighttpd-1.4.63.tar.gz and /dev/null differ diff --git a/lighttpd-1.4.62-defaultconf.patch b/lighttpd-1.4.65-defaultconf.patch similarity index 72% rename from lighttpd-1.4.62-defaultconf.patch rename to lighttpd-1.4.65-defaultconf.patch index 9139242d029c6660e48f49ffcfcae7ba7a24a01e..5981e3974ba31a2c50194e4cdf9a1b88b64198a5 100644 --- a/lighttpd-1.4.62-defaultconf.patch +++ b/lighttpd-1.4.65-defaultconf.patch @@ -20,3 +20,14 @@ ## ## # (recommended to accept only TLSv1.2 and TLSv1.3) ## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # default +--- doc/config/lighttpd.conf~ 2022-07-28 10:49:14.928564535 -0500 ++++ doc/config/lighttpd.conf 2022-07-28 10:49:47.161444622 -0500 +@@ -118,7 +118,7 @@ + ## + ## Document root + ## +-server.document-root = server_root + "/htdocs" ++server.document-root = server_root + "/lighttpd" + + ## + ## The value for the "Server:" response field. diff --git a/lighttpd-1.4.67.tar.xz b/lighttpd-1.4.67.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..014642aea1771074e8a0e7a1976a70c537cef9b5 Binary files /dev/null and b/lighttpd-1.4.67.tar.xz differ diff --git a/lighttpd.spec b/lighttpd.spec index 1b57da703a35184fb9421221b02a8e1e9a224623..df4996291f54c5d127050b7a534e9f9a440ae59d 100644 --- a/lighttpd.spec +++ b/lighttpd.spec @@ -19,20 +19,16 @@ %bcond_without systemd Summary: Lightning fast webserver with light system requirements Name: lighttpd -Version: 1.4.63 -Release: 5 +Version: 1.4.67 +Release: 1 License: BSD-3-Clause and OML and GPLv3 and GPLv2 URL: https://github.com/lighttpd/lighttpd1.4 -Source0: https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.63.tar.gz +Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz Source1: lighttpd.logrotate Source2: php.d-lighttpd.ini Source3: lighttpd.init Source4: lighttpd.service -Patch0: lighttpd-1.4.62-defaultconf.patch -Patch1: 5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch -Patch2: 492773a20f8a1deb1c94e25d40023970dd9608a1.patch -Patch3: CVE-2022-22707.patch -Patch4: CVE-2022-37797.patch +Patch0: lighttpd-1.4.65-defaultconf.patch Requires: %{name}-filesystem %if %{with systemd} Requires(post): systemd @@ -55,6 +51,12 @@ BuildRequires: /usr/bin/awk, libattr-devel %{?with_memcache:BuildRequires: memcached-devel} %{?with_lua:BuildRequires: lua-devel} +Provides: %{name}-mod_authn_mysql = %{version}-%{release} +Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1 + +Provides: %{name}-mod_mysql_vhost = %{version}-%{release} +Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1 + %description Secure, fast, compliant and very flexible web-server which has been optimized for high-performance environments. It has a very low memory footprint compared @@ -110,10 +112,6 @@ for the directories. %prep %setup -q %patch0 -p0 -b .defaultconf -%patch1 -p1 -b .setrlimit -%patch2 -p1 -b .fixtrace -%patch3 -p1 -%patch4 -p1 %build autoreconf -if @@ -199,7 +197,6 @@ fi %config(noreplace) %{_sysconfdir}/lighttpd/*.conf %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf %exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf -%exclude %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf %config %{_sysconfdir}/lighttpd/conf.d/mod.template %config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template %config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd @@ -216,8 +213,6 @@ fi %{_libdir}/lighttpd/ %exclude %{_libdir}/lighttpd/*.la %exclude %{_libdir}/lighttpd/mod_fastcgi.so -%exclude %{_libdir}/lighttpd/mod_mysql_vhost.so -%exclude %{_libdir}/lighttpd/mod_authn_mysql.so %exclude %{_libdir}/lighttpd/mod_authn_gssapi.so %{_mandir}/man8/lighttpd*8* @@ -229,14 +224,10 @@ fi %{_libdir}/lighttpd/mod_fastcgi.so %files mod_mysql_vhost -%doc doc/outdated/mysqlvhost.txt -%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf %dir %{_libdir}/lighttpd/ -%{_libdir}/lighttpd/mod_mysql_vhost.so %files mod_authn_mysql %dir %{_libdir}/lighttpd/ -%{_libdir}/lighttpd/mod_authn_mysql.so %files mod_authn_gssapi %dir %{_libdir}/lighttpd/ @@ -260,6 +251,9 @@ fi %attr(0700, lighttpd, lighttpd) %dir %{webroot}/ %changelog +* Wed Oct 12 2022 liangqifeng - 1.4.67-1 +- update to 1.4.67 to fix CVE-2022-41556 + * Tue Sep 13 2022 cenhuilin - 1.4.63-5 - Fix CVE-2022-37797