debian/0000775000000000000000000000000012271762020007167 5ustar debian/lighttpd.lintian-overrides0000664000000000000000000000053612271762011014372 0ustar # Policy says in §10.9: "Directories should be mode 755 or (for # group-writability) mode 2775." This is not preferred for sensible information # like log files which may disclose error messages or session URLs. Therefore we # consider Lintian being wrong here and an override to be appropriate. non-standard-dir-perm var/log/lighttpd/ 0750 != 0755 debian/lighttpd.postinst0000664000000000000000000000142612271762011012616 0ustar #! /bin/sh -e # postinst script for lighttpd set -e if [ "$1" = "configure" ]; then if [ ! -r /var/www/index.lighttpd.html ]; then cp /usr/share/lighttpd/index.html /var/www/index.lighttpd.html fi # Remove a possibly dangling symlink for the obsolete conffile if dpkg --compare-versions "$2" lt-nl "1.4.32-1" && \ [ -L /etc/lighttpd/conf-enabled/10-access.conf -a \ ! -f /etc/lighttpd/conf-available/10-access.conf ]; then rm -f /etc/lighttpd/conf-enabled/10-access.conf fi fi # dh_installinit will call this function upon failure of rc.d invocation # Fixes: #383425 start_failed() { echo "Failed to start Lighttpd. Maybe another webserver is already listening on port 80?" exit 0 } #DEBHELPER# exit 0 debian/lighttpd.manpages0000664000000000000000000000003412271762011012520 0ustar debian/lighty-enable-mod.1 debian/lighty-enable-mod0000775000000000000000000001036012271762011012416 0ustar #!/usr/bin/perl -w # # Copyright (c) 2006 Krzysztof Krzyzaniak # # Contains changes from: # - Tobias Gruetzmacher # - Arno Toell # # You may distribute under the terms of either the GNU General Public # License[1] or the Artistic License[2]. # # [1] http://www.gnu.org/licenses/gpl.html # [2] http://www.perl.com/pub/a/language/misc/Artistic.html # use strict; use Term::ReadLine; use File::Basename; use File::Glob ':glob'; use File::stat; #--- some initializations my $confdir = "/etc/lighttpd/"; my %available = (); my %enabled = (); my @todo = (); my $enabling = 1; #--- some defaults use constant { EXIT_OK => 0, EXIT_FAILURE => 1, EXIT_NO_ACTION => 2 }; #--- first check if we enabling or disabling if ($0 =~ /disable-mod$/) { #--- disabling mode $enabling = 0; } sub mydie { my $reason = shift; print($reason); exit(EXIT_FAILURE); } #--- list of available modules my @files = bsd_glob($confdir.'conf-available/*.conf'); foreach my $file (@files) { if (basename($file) =~ /^\d+\-([\w\-\.]+)\.conf$/) { $available{$1} = $file; } } #--- list of already enabled modules @files = bsd_glob($confdir.'conf-enabled/*.conf'); foreach my $file (@files) { if (basename($file) =~ /^\d+\-([\w\-\.]+)\.conf$/) { $enabled{$1} = $file; } } unless (defined($ARGV[0])) { print "Disabled modules: "; foreach (sort(keys %available)) { if (!defined($enabled{$_})) { print qq{$_ }; } } print "\n"; print "Enabled modules: "; foreach (sort(keys %enabled)) { print qq{$_ }; } print "\n"; my $prompt = $enabling ? 'Enable module: ' : 'Disable module: '; my $term = new Term::ReadLine $prompt; my $OUT = $term->OUT || \*STDOUT; my $var = lc($term->readline($prompt)); @todo = split(/ /, $var); } else { @todo = @ARGV; } my $exit_status = EXIT_OK; #--- activate (link) or deactivate (remove) module foreach my $do (@todo) { if (! exists($available{$do})) { print("Ignoring unknown module: $do\n"); $exit_status = EXIT_NO_ACTION; next; } if ($enabling) { next unless defined($available{$do}); my $target = sprintf("%s/conf-enabled/%s", $confdir,basename($available{$do})); my $source = $available{$do}; my $st = stat($target); unless ( -f $target ) { # scan for a dependency line local *MOD; open(MOD, "< $source") || mydie("can't read $source: $!"); while(my $i = ) { if ($i =~ m/# -\*- depends: ([-\w, ]+) -\*-/) { my @matches = split(/,\s+/, $1); for my $module (@matches) { if (exists $available{$module} and ! exists $enabled{$module}) { print("Met dependency: $module\n"); push(@todo, $module); } elsif (exists $available{$module} and exists $enabled{$module}) { # Do nothing } else { mydie("Unresolved dependency: $module\n"); } } last; } } close(MOD); if (symlink("../conf-available/" . basename($available{$do}), $target)) { print "Enabling $do: ok\n"; } else { print "failure: $!\n"; $exit_status = EXIT_FAILURE; } } else { print "already enabled\n"; # Set exit status only, if no more severe problem # occured so far $exit_status = EXIT_NO_ACTION if $exit_status != EXIT_FAILURE; } } else { if (defined($enabled{$do})) { print qq{Disabling $do\n}; my $target = sprintf("%s/conf-enabled/%s", $confdir,basename($enabled{$do})); my $source = $available{$do}; # scan for a reverse dependency line foreach my $available_module (keys %available) { if ($available_module eq $do) { next; } local *MOD; open(MOD, "< $available{$available_module}") || mydie("can't read $available{$available_module}: $!"); while(my $i = ) { if ($i =~ m/# -\*- depends: ([-\w, ]+) -\*-/) { my @matches = split(/,\s+/, $1); for my $module (@matches) { if ($module eq $do && exists $enabled{$available_module}) { print("Reverse dependency met: Disabling $available_module too\n"); push(@todo, $available_module); } } last; } } } close(MOD); unlink($target); } else { print qq{Already disabled $do\n}; $exit_status = EXIT_NO_ACTION if $exit_status != EXIT_FAILURE; } } } print "Run /etc/init.d/lighttpd force-reload to enable changes\n"; exit($exit_status); debian/lighttpd.links0000664000000000000000000000065212271762011012053 0ustar usr/sbin/lighty-enable-mod usr/sbin/lighty-disable-mod usr/sbin/lighty-enable-mod usr/sbin/lighttpd-enable-mod usr/sbin/lighty-enable-mod usr/sbin/lighttpd-disable-mod usr/share/man/man1/lighty-enable-mod.1.gz usr/share/man/man1/lighty-disable-mod.1.gz usr/share/man/man1/lighty-enable-mod.1.gz usr/share/man/man1/lighttpd-disable-mod.1.gz usr/share/man/man1/lighty-enable-mod.1.gz usr/share/man/man1/lighttpd-enable-mod.1.gz debian/lighttpd-mod-mysql-vhost.install0000664000000000000000000000005712271762011015461 0ustar debian/tmp/usr/lib/lighttpd/mod_mysql_vhost.so debian/use-ipv6.pl0000775000000000000000000000036712271762011011213 0ustar #! /usr/bin/perl -w use Socket; use strict; my $sock; my $PORT = 80; $PORT = $ARGV[0] if $ARGV[0] and $ARGV[0] >= 0 and $ARGV[0] <= 65535; if (socket($sock, AF_INET6, SOCK_STREAM, 0)) { print qq/\$SERVER["socket"] == "[::]:$PORT" { }\n/; } debian/patches/0000775000000000000000000000000012271762011010616 5ustar debian/patches/series0000664000000000000000000000016412271762011012034 0ustar build-dev-package.patch cve-2013-4508.patch cve-2013-4559.patch cve-2013-4560.patch add-lighttpd.pc-configure.patch debian/patches/build-dev-package.patch0000664000000000000000000000446512271762011015114 0ustar --- lighttpd-1.4.33.orig/configure +++ lighttpd-1.4.33/configure @@ -16234,7 +16234,7 @@ cat >>confdefs.h <<_ACEOF _ACEOF -ac_config_files="$ac_config_files Makefile src/Makefile doc/config/conf.d/Makefile doc/config/vhosts.d/Makefile doc/config/Makefile doc/scripts/Makefile doc/initscripts/Makefile doc/systemd/Makefile doc/outdated/Makefile doc/Makefile tests/Makefile tests/docroot/Makefile tests/docroot/123/Makefile tests/docroot/www/Makefile tests/docroot/www/go/Makefile tests/docroot/www/indexfile/Makefile tests/docroot/www/expire/Makefile distribute.sh" +ac_config_files="$ac_config_files Makefile src/Makefile doc/config/conf.d/Makefile doc/config/vhosts.d/Makefile doc/config/Makefile doc/scripts/Makefile doc/initscripts/Makefile doc/systemd/Makefile doc/outdated/Makefile doc/Makefile tests/Makefile tests/docroot/Makefile tests/docroot/123/Makefile tests/docroot/www/Makefile tests/docroot/www/go/Makefile tests/docroot/www/indexfile/Makefile tests/docroot/www/expire/Makefile lighttpd.pc distribute.sh" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -17261,6 +17261,7 @@ do "tests/docroot/www/go/Makefile") CONFIG_FILES="$CONFIG_FILES tests/docroot/www/go/Makefile" ;; "tests/docroot/www/indexfile/Makefile") CONFIG_FILES="$CONFIG_FILES tests/docroot/www/indexfile/Makefile" ;; "tests/docroot/www/expire/Makefile") CONFIG_FILES="$CONFIG_FILES tests/docroot/www/expire/Makefile" ;; + "lighttpd.pc") CONFIG_FILES="$CONFIG_FILES lighttpd.pc" ;; "distribute.sh") CONFIG_FILES="$CONFIG_FILES distribute.sh" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; --- /dev/null +++ lighttpd-1.4.33/lighttpd.pc.in @@ -0,0 +1,14 @@ +# lighttpd pkg-config file + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: lighttpd +Description: lighttpd +Version: @VERSION@ +Requires: +Conflicts: +Libs: +Cflags: -I${includedir} -DHAVE_CONFIG_H @CPPFLAGS@ --- lighttpd-1.4.33.orig/Makefile.am +++ lighttpd-1.4.33/Makefile.am @@ -5,5 +5,8 @@ EXTRA_DIST=autogen.sh SConstruct ACLOCAL_AMFLAGS = -I m4 distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';' AM_DISTCHECK_CONFIGURE_FLAGS=--with-openssl + +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = lighttpd.pc debian/patches/cve-2013-4560.patch0000664000000000000000000000113012271762011013366 0ustar origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt commit bbbe8878144ab178c6ec37e9aeb99640cc8b6672 Author: Stefan Bühler Date: Tue Nov 12 12:37:03 2013 +0100 [stat-cache] FAM: fix use after free diff --git a/src/stat_cache.c b/src/stat_cache.c index e995f3b..924f4dc 100644 --- a/src/stat_cache.c +++ b/src/stat_cache.c @@ -648,6 +648,7 @@ handler_t stat_cache_get_entry(server *srv, connection *con, buffer *name, stat_ FamErrlist[FAMErrno]); fam_dir_entry_free(fam_dir); + fam_dir = NULL; } else { int osize = 0; debian/patches/cve-2013-4559.patch0000664000000000000000000000252412271762011013406 0ustar origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt commit d22f4164a9e26c252e1874a29ba658eec85a3ddc Author: Stefan Bühler Date: Sun Nov 10 19:00:08 2013 +0100 [core] check success of setuid,setgid,setgroups Index: lighttpd-1.4.33/src/server.c =================================================================== --- lighttpd-1.4.33.orig/src/server.c 2013-11-13 02:36:01.510535924 +0000 +++ lighttpd-1.4.33/src/server.c 2013-11-13 02:36:01.510535924 +0000 @@ -820,8 +820,14 @@ * to /etc/group * */ if (NULL != grp) { - setgid(grp->gr_gid); - setgroups(0, NULL); + if (-1 == setgid(grp->gr_gid)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno)); + return -1; + } + if (-1 == setgroups(0, NULL)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno)); + return -1; + } if (srv->srvconf.username->used) { initgroups(srv->srvconf.username->ptr, grp->gr_gid); } @@ -844,7 +850,10 @@ #ifdef HAVE_PWD_H /* drop root privs */ if (NULL != pwd) { - setuid(pwd->pw_uid); + if (-1 == setuid(pwd->pw_uid)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno)); + return -1; + } } #endif #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE) debian/patches/add-lighttpd.pc-configure.patch0000664000000000000000000000076712271762011016576 0ustar Description: Add lighttpd.pc to ac_config_files to make sure its being built correctly. Author: Andreas Moog Bug-Debian: http://bugs.debian.org/726934 --- lighttpd-1.4.33.orig/configure.ac +++ lighttpd-1.4.33/configure.ac @@ -648,7 +648,8 @@ AC_CONFIG_FILES([Makefile src/Makefile tests/docroot/www/go/Makefile \ tests/docroot/www/indexfile/Makefile \ tests/docroot/www/expire/Makefile \ - distribute.sh]) + distribute.sh \ + lighttpd.pc]) AC_OUTPUT debian/patches/cve-2013-4508.patch0000664000000000000000000003276612271762011013413 0ustar origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt commit 0fee8a0d90ffa6c5bde25d769cc578d72e4972ca Author: Stefan Bühler Date: Wed Nov 13 18:29:09 2013 +0100 [ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508) pull all ssl.ca-file values into all SSL_CTXs, but use only the local ssl.ca-file for verify-client; correct SNI name is no requirement, so enforcing verification for a subset of SNI names doesn't actually protect those. Also session resumption can circumvent the verify-client enforce, if it isn't enforced in the default context. Index: lighttpd-1.4.33/src/base.h =================================================================== --- lighttpd-1.4.33.orig/src/base.h 2013-11-16 22:28:28.623997390 +0000 +++ lighttpd-1.4.33/src/base.h 2013-11-16 22:28:28.623997390 +0000 @@ -320,7 +320,11 @@ off_t *global_bytes_per_second_cnt_ptr; /* */ #ifdef USE_OPENSSL - SSL_CTX *ssl_ctx; + SSL_CTX *ssl_ctx; /* not patched */ + /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */ + EVP_PKEY *ssl_pemfile_pkey; + X509 *ssl_pemfile_x509; + STACK_OF(X509_NAME) *ssl_ca_file_cert_names; #endif } specific_config; Index: lighttpd-1.4.33/src/configfile.c =================================================================== --- lighttpd-1.4.33.orig/src/configfile.c 2013-11-16 22:28:28.623997390 +0000 +++ lighttpd-1.4.33/src/configfile.c 2013-11-16 22:28:28.623997390 +0000 @@ -339,9 +339,13 @@ PATCH(ssl_pemfile); #ifdef USE_OPENSSL - PATCH(ssl_ctx); + PATCH(ssl_pemfile_x509); + PATCH(ssl_pemfile_pkey); #endif PATCH(ssl_ca_file); +#ifdef USE_OPENSSL + PATCH(ssl_ca_file_cert_names); +#endif PATCH(ssl_cipher_list); PATCH(ssl_dh_file); PATCH(ssl_ec_curve); @@ -409,10 +413,14 @@ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) { PATCH(ssl_pemfile); #ifdef USE_OPENSSL - PATCH(ssl_ctx); + PATCH(ssl_pemfile_x509); + PATCH(ssl_pemfile_pkey); #endif } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { PATCH(ssl_ca_file); +#ifdef USE_OPENSSL + PATCH(ssl_ca_file_cert_names); +#endif } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { PATCH(ssl_honor_cipher_order); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) { Index: lighttpd-1.4.33/src/network.c =================================================================== --- lighttpd-1.4.33.orig/src/network.c 2013-11-16 22:28:28.623997390 +0000 +++ lighttpd-1.4.33/src/network.c 2013-11-16 22:28:28.623997390 +0000 @@ -112,20 +112,46 @@ config_patch_connection(srv, con, COMP_HTTP_SCHEME); config_patch_connection(srv, con, COMP_HTTP_HOST); - if (NULL == con->conf.ssl_ctx) { - /* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */ + if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) { + /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - "null SSL_CTX for TLS server name", con->tlsext_server_name); + "no certificate/private key for TLS server name", con->tlsext_server_name); return SSL_TLSEXT_ERR_ALERT_FATAL; } - /* switch to new SSL_CTX in reaction to a client's server_name extension */ - if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) { - log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - "failed to set SSL_CTX for TLS server name", con->tlsext_server_name); + /* first set certificate! setting private key checks whether certificate matches it */ + if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) { + log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", + "failed to set certificate for TLS server name", con->tlsext_server_name, + ERR_error_string(ERR_get_error(), NULL)); + return SSL_TLSEXT_ERR_ALERT_FATAL; + } + + if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) { + log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", + "failed to set private key for TLS server name", con->tlsext_server_name, + ERR_error_string(ERR_get_error(), NULL)); return SSL_TLSEXT_ERR_ALERT_FATAL; } + if (con->conf.ssl_verifyclient) { + if (NULL == con->conf.ssl_ca_file_cert_names) { + log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", + "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name, + ERR_error_string(ERR_get_error(), NULL)); + return SSL_TLSEXT_ERR_ALERT_FATAL; + } + + SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names)); + /* forcing verification here is really not that useful - a client could just connect without SNI */ + SSL_set_verify( + ssl, + SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), + NULL + ); + SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth); + } + return SSL_TLSEXT_ERR_OK; } #endif @@ -492,9 +518,100 @@ NETWORK_BACKEND_SOLARIS_SENDFILEV } network_backend_t; +#ifdef USE_OPENSSL +static X509* x509_load_pem_file(server *srv, const char *file) { + BIO *in; + X509 *x = NULL; + + in = BIO_new(BIO_s_file()); + if (NULL == in) { + log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed"); + goto error; + } + + if (BIO_read_filename(in,file) <= 0) { + log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed"); + goto error; + } + x = PEM_read_bio_X509(in, NULL, NULL, NULL); + + if (NULL == x) { + log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'"); + goto error; + } + + BIO_free(in); + return x; + +error: + if (NULL != x) X509_free(x); + if (NULL != in) BIO_free(in); + return NULL; +} + +static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) { + BIO *in; + EVP_PKEY *x = NULL; + + in=BIO_new(BIO_s_file()); + if (NULL == in) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed"); + goto error; + } + + if (BIO_read_filename(in,file) <= 0) { + log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed"); + goto error; + } + x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); + + if (NULL == x) { + log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'"); + goto error; + } + + BIO_free(in); + return x; + +error: + if (NULL != x) EVP_PKEY_free(x); + if (NULL != in) BIO_free(in); + return NULL; +} + +static int network_openssl_load_pemfile(server *srv, size_t ndx) { + specific_config *s = srv->config_storage[ndx]; + +#ifdef OPENSSL_NO_TLSEXT + { + data_config *dc = (data_config *)srv->config_context->data[i]; + if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ)) + || !s->ssl_enabled) { + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions"); + return -1; + } + } +#endif + + if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; + if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; + + if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { + log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", + "Private key does not match the certificate public key, reason:", + ERR_error_string(ERR_get_error(), NULL), + s->ssl_pemfile); + return -1; + } + + return 0; +} +#endif + int network_init(server *srv) { buffer *b; - size_t i; + size_t i, j; network_backend_t backend; #if OPENSSL_VERSION_NUMBER >= 0x0090800fL @@ -581,18 +698,7 @@ long ssloptions = SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; - if (buffer_is_empty(s->ssl_pemfile)) continue; - -#ifdef OPENSSL_NO_TLSEXT - { - data_config *dc = (data_config *)srv->config_context->data[i]; - if (COMP_HTTP_HOST == dc->comp) { - log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions"); - return -1; - } - } -#endif + if (buffer_is_empty(s->ssl_pemfile) && buffer_is_empty(s->ssl_ca_file)) continue; if (srv->ssl_is_init == 0) { SSL_load_error_strings(); @@ -607,12 +713,43 @@ } } + if (!buffer_is_empty(s->ssl_pemfile)) { +#ifdef OPENSSL_NO_TLSEXT + data_config *dc = (data_config *)srv->config_context->data[i]; + if (COMP_HTTP_HOST == dc->comp) { + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", + "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions"); + return -1; + } +#endif + if (network_openssl_load_pemfile(srv, i)) return -1; + } + + + if (!buffer_is_empty(s->ssl_ca_file)) { + s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr); + if (NULL == s->ssl_ca_file_cert_names) { + log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", + ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); + } + } + + if (buffer_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue; + if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ERR_error_string(ERR_get_error(), NULL)); return -1; } + /* completely useless identifier; required for client cert verification to work with sessions */ + if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) { + log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:", + "failed to set session context", + ERR_error_string(ERR_get_error(), NULL)); + return -1; + } + if (s->ssl_empty_fragments) { #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; @@ -722,45 +859,42 @@ #endif #endif - if (!buffer_is_empty(s->ssl_ca_file)) { - if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) { - log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); - return -1; - } - if (s->ssl_verifyclient) { - STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr); - if (!certs) { + /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */ + for (j = 0; j < srv->config_context->used; j++) { + specific_config *s1 = srv->config_storage[j]; + + if (!buffer_is_empty(s1->ssl_ca_file)) { + if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); - } - if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) { - log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file); return -1; } - SSL_CTX_set_client_CA_list(s->ssl_ctx, certs); - SSL_CTX_set_verify( - s->ssl_ctx, - SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), - NULL + } + } + + if (s->ssl_verifyclient) { + if (NULL == s->ssl_ca_file_cert_names) { + log_error_write(srv, __FILE__, __LINE__, "s", + "SSL: You specified ssl.verifyclient.activate but no ca_file" ); - SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth); + return -1; } - } else if (s->ssl_verifyclient) { - log_error_write( - srv, __FILE__, __LINE__, "s", - "SSL: You specified ssl.verifyclient.activate but no ca_file" + SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names)); + SSL_CTX_set_verify( + s->ssl_ctx, + SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), + NULL ); + SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth); } - if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { + if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); return -1; } - if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) { + if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); return -1; @@ -857,7 +991,6 @@ for (i = 1; i < srv->config_context->used; i++) { data_config *dc = (data_config *)srv->config_context->data[i]; specific_config *s = srv->config_storage[i]; - size_t j; /* not our stage */ if (COMP_SERVER_SOCKET != dc->comp) continue; Index: lighttpd-1.4.33/src/server.c =================================================================== --- lighttpd-1.4.33.orig/src/server.c 2013-11-16 22:28:28.623997390 +0000 +++ lighttpd-1.4.33/src/server.c 2013-11-16 22:28:28.623997390 +0000 @@ -314,6 +314,9 @@ buffer_free(s->ssl_verifyclient_username); #ifdef USE_OPENSSL SSL_CTX_free(s->ssl_ctx); + EVP_PKEY_free(s->ssl_pemfile_pkey); + X509_free(s->ssl_pemfile_x509); + if (NULL != s->ssl_ca_file_cert_names) sk_X509_NAME_pop_free(s->ssl_ca_file_cert_names, X509_NAME_free); #endif free(s); } debian/lighttpd-mod-magnet.install0000664000000000000000000000015412271762011014424 0ustar debian/tmp/usr/lib/lighttpd/mod_magnet.so debian/conf-available2/10-magnet.conf etc/lighttpd/conf-available debian/lighttpd.cron.daily0000664000000000000000000000052212271762011012771 0ustar #!/bin/sh # Cleanup lighttpd compress cache cache=/var/cache/lighttpd if test -d "$cache/compress"; then su -s /bin/sh -c "find $cache/compress -type f -atime +30 -print0 | xargs -0 -r rm" www-data fi if test -d "$cache/uploads"; then su -s /bin/sh -c "find $cache/uploads -type f -atime +1 -print0 | xargs -0 -r rm" www-data fi debian/conf-available/0000775000000000000000000000000012271762011012032 5ustar debian/conf-available/10-flv-streaming.conf0000664000000000000000000000005212271762011015672 0ustar server.modules += ( "mod_flv_streaming" ) debian/conf-available/10-status.conf0000664000000000000000000000071412271762011014444 0ustar # /usr/share/doc/lighttpd/status.txt # http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus server.modules += ( "mod_status" ) # status.status-url = "/server-status" # status.config-url = "/server-config" ## relative URL for a plain-text page containing the internal statistics # status.statistics-url = "/server-statistics" ## add JavaScript which allows client-side sorting for the connection overview ## default: enable # status.enable-sort = "disable" debian/conf-available/10-rrdtool.conf0000664000000000000000000000037512271762011014611 0ustar # /usr/share/doc/lighttpd/rrdtool.txt server.modules += ( "mod_rrdtool" ) ## path to the rrdtool binary rrdtool.binary = "/usr/bin/rrdtool" ## file to store the rrd database, will be created by lighttpd rrdtool.db-name = "/var/www/lighttpd.rrd" debian/conf-available/10-evhost.conf0000664000000000000000000000020012271762011014417 0ustar # http://redmine.lighttpd.net/wiki/1/Docs:ModEVhost server.modules += ( "mod_evhost" ) evhost.path-pattern = "/srv/%_/htdocs" debian/conf-available/10-ssi.conf0000664000000000000000000000014312271762011013713 0ustar # /usr/share/doc/lighttpd/ssi.txt server.modules += ( "mod_ssi" ) ssi.extension = ( ".shtml" ) debian/conf-available/05-auth.conf0000664000000000000000000000150712271762011014067 0ustar # /usr/share/doc/lighttpd/authentication.txt.gz server.modules += ( "mod_auth" ) # auth.backend = "plain" # auth.backend.plain.userfile = "lighttpd.user" # auth.backend.plain.groupfile = "lighttpd.group" # auth.backend.ldap.hostname = "localhost" # auth.backend.ldap.base-dn = "dc=my-domain,dc=com" # auth.backend.ldap.filter = "(uid=$)" # auth.require = ( "/server-status" => # ( # "method" => "digest", # "realm" => "download archiv", # "require" => "group=www|user=jan|host=192.168.2.10" # ), # "/server-info" => # ( # "method" => "digest", # "realm" => "download archiv", # "require" => "group=www|user=jan|host=192.168.2.10" # ) # ) debian/conf-available/11-extforward.conf0000664000000000000000000000025012271762011015302 0ustar # -*- depends: accesslog -*- server.modules += ( "mod_extforward" ) # extforward.headers = ("X-Cluster-Client-Ip") # extforward.forwarder = ("10.0.0.232" => "trust") debian/conf-available/10-dir-listing.conf0000664000000000000000000000007712271762011015350 0ustar dir-listing.encoding = "utf-8" server.dir-listing = "enable" debian/conf-available/10-ssl.conf0000664000000000000000000000041512271762011013720 0ustar # /usr/share/doc/lighttpd/ssl.txt $SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/server.pem" ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" ssl.honor-cipher-order = "enable" } debian/conf-available/10-expire.conf0000664000000000000000000000015012271762011014407 0ustar # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModExpire server.modules += ( "mod_expire" ) debian/conf-available/10-cgi.conf0000664000000000000000000000052712271762011013665 0ustar # /usr/share/doc/lighttpd/cgi.txt server.modules += ( "mod_cgi" ) $HTTP["url"] =~ "^/cgi-bin/" { cgi.assign = ( "" => "" ) } ## Warning this represents a security risk, as it allow to execute any file ## with a .pl/.py even outside of /usr/lib/cgi-bin. # #cgi.assign = ( # ".pl" => "/usr/bin/perl", # ".py" => "/usr/bin/python", #) debian/conf-available/README0000664000000000000000000000151312271762011012712 0ustar ligghttpd Configuration under Debian GNU/Linux ============================================== Files and Directories in /etc/lighttpd: --------------------------------------- lighttpd.conf: main configuration file conf-available/ This directory contains a series of .conf files. These files contain configuration directives necessary to load and run webserver modules. If you want to create your own files they names should be build as nn-name.conf where "nn" is two digit number (number is used to find order for loading files) conf-enabled/ To actually enable a module for lighttpd, it is necessary to create a symlink in this directory to the .conf file in conf-available/. Enabling and disabling modules could be done by provided /usr/sbin/lighty-enable-mod and /usr/sbin/lighty-disable-mod scripts. debian/conf-available/10-fastcgi.conf0000664000000000000000000000026112271762011014536 0ustar # /usr/share/doc/lighttpd/fastcgi.txt.gz # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi server.modules += ( "mod_fastcgi" ) debian/conf-available/10-usertrack.conf0000664000000000000000000000004612271762011015122 0ustar server.modules += ( "mod_usertrack" ) debian/conf-available/10-accesslog.conf0000664000000000000000000000013312271762011015057 0ustar server.modules += ( "mod_accesslog" ) accesslog.filename = "/var/log/lighttpd/access.log" debian/conf-available/10-no-www.conf0000664000000000000000000000012212271762011014350 0ustar $HTTP["host"] =~ "^www\.(.*)" { url.redirect = ( "^/(.*)" => "http://%1/$1" ) } debian/conf-available/10-userdir.conf0000664000000000000000000000070212271762011014573 0ustar ## The userdir module provides a simple way to link user-based directories into ## the global namespace of the webserver. ## # /usr/share/doc/lighttpd/userdir.txt server.modules += ( "mod_userdir" ) ## the subdirectory of a user's home dir which should be accessible ## under http://$host/~$user userdir.path = "public_html" ## The users whose home directories should not be accessible userdir.exclude-user = ( "root", "postmaster" ) debian/conf-available/10-proxy.conf0000664000000000000000000000152112271762011014277 0ustar # /usr/share/doc/lighttpd/proxy.txt server.modules += ( "mod_proxy" ) ## Balance algorithm, possible values are: "hash", "round-robin" or "fair" (default) # proxy.balance = "hash" ## Redirect all queries to files ending with ".php" to 192.168.0.101:80 #proxy.server = ( ".php" => # ( # ( "host" => "192.168.0.101", # "port" => 80 # ) # ) # ) ## Redirect all connections on www.example.com to 10.0.0.1{0,1,2,3} #$HTTP["host"] == "www.example.com" { # proxy.balance = "hash" # proxy.server = ( "" => ( ( "host" => "10.0.0.10" ), # ( "host" => "10.0.0.11" ), # ( "host" => "10.0.0.12" ), # ( "host" => "10.0.0.13" ) ) ) #} debian/conf-available/90-debian-doc.conf0000664000000000000000000000077412271762011015124 0ustar #### handle Debian Policy Manual, Section 11.5. urls ## by default allow them only from localhost $HTTP["remoteip"] =~ "^127\.0\.0\.1$|^::1$" { alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/", "/doc/" => "/usr/share/doc/", "/images/" => "/usr/share/images/" ) $HTTP["url"] =~ "^/doc/|^/images/" { dir-listing.activate = "enable" } $HTTP["url"] =~ "^/cgi-bin/" { cgi.assign = ( "" => "" ) } } debian/conf-available/10-simple-vhost.conf0000664000000000000000000000061612271762011015554 0ustar # /usr/share/doc/lighttpd/simple-vhost.txt server.modules += ( "mod_simple_vhost" ) ## The document root of a virtual host is document-root = ## simple-vhost.server-root + $HTTP["host"] + simple-vhost.document-root simple-vhost.server-root = "/srv" simple-vhost.document-root = "htdocs" ## the default host if no host is sent simple-vhost.default-host = "www.example.com" debian/conf-available/10-evasive.conf0000664000000000000000000000004412271762011014557 0ustar server.modules += ( "mod_evasive" ) debian/conf-available/15-fastcgi-php.conf0000664000000000000000000000107712271762011015336 0ustar # -*- depends: fastcgi -*- # /usr/share/doc/lighttpd/fastcgi.txt.gz # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi ## Start an FastCGI server for php (needs the php5-cgi package) fastcgi.server += ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", "socket" => "/var/run/lighttpd/php.socket", "max-procs" => 1, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "4", "PHP_FCGI_MAX_REQUESTS" => "10000" ), "bin-copy-environment" => ( "PATH", "SHELL", "USER" ), "broken-scriptfilename" => "enable" )) ) debian/lighttpd-mod-cml.install0000664000000000000000000000014612271762011013725 0ustar debian/tmp/usr/lib/lighttpd/mod_cml.so debian/conf-available2/10-cml.conf etc/lighttpd/conf-available debian/lighty-enable-mod.10000664000000000000000000000447012271762011012557 0ustar .TH LIGHTYENABLEMOD 1 2006-01-11 .SH NAME lighty-enable-mod, lighty-disable-mod \- enable or disable configuration in lighttpd server .SH SYNOPSIS lighty-enable-mod [module] .br lighty-disable-mod [module] .SH DESCRIPTION This manual page documents briefly the lighty-enable-mod and lighty-disable-mod commands. lighty-enable-mod and lighty-disable-mod are programs that enable (and respectively disable) the specified configuration file within lighttpd configuration. Both programs can be run interactively or from command line. If either program is called without any arguments, an input prompt is displayed to the user, where he might choose among available .I "lighttpd" modules. Immediate action is taken, if a module name was given on the command line. .SS EXIT STATUS Both programs indicate failure in their exit status. lighty-enable-mod or lighty-disable-mod respectively may leave execution with one of the following exit codes: .br .TP 5 .B "0" denotes success .TP 5 .B "1" denotes a fatal error (e.g., a module could not be enabled, or a dependency was not found) .TP 5 .B "2" denotes a minor flaw (e.g., a module was not enabled because it was already loaded before) .TP 0 .B Note You can (un-) load several modules at time. The exit status will only reflect the most serious issue (where a minor flaw beats no error, but a fatal error beats a minor flaw). This means, if a minor flaw was encountered as well as a fatal error, the program will leave with exit status 1 and stop immediately. .SH DEPENDENCIES Debian allows .I "lighttpd" modules to formulate dependencies to other modules they depend on. Configuration files are scanned for dependencies upon load or unload of modules, not at runtime of the web server. Such a magic line has the following format: .nf # -*- depends: module[, module] -*- .fi and may appear anywhere in the file. If such a line is found, the extracted name is interpreted as dependency to another .I "lighttpd" module. lighty-enable-mod will seek available configurations to satisfy this dependency and will recursively enable all dependencies found on its way. lighty-disable-mod will disable reverse dependencies recursively. .SH SEE ALSO lighttpd(1) .SH AUTHOR Program and man pages were originally written by Krzysztof Krzyżaniak and later modified by Arno Töll debian/control0000664000000000000000000001027712271762011010601 0ustar Source: lighttpd Section: httpd Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian lighttpd maintainers Uploaders: Krzysztof Krzyżaniak (eloy) , Olaf van der Spek , Arno Töll Homepage: http://lighttpd.net/ Build-Depends: debhelper (>= 9), mime-support, libssl-dev, zlib1g-dev, libbz2-dev, libattr1-dev, libpcre3-dev, libmysqlclient-dev, libgamin-dev, libldap2-dev, libfcgi-dev, libgdbm-dev, libmemcache-dev, liblua5.1-0-dev, pkg-config, uuid-dev, libsqlite3-dev, libxml2-dev, libkrb5-dev, perl, dpkg-dev (>= 1.16.1~), autotools-dev, dh-systemd (>= 1.3), automake (>= 1.14), libtool, dh-autoreconf Vcs-Git: git://git.debian.org/git/pkg-lighttpd/lighttpd.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-lighttpd/lighttpd.git Standards-Version: 3.9.4 Package: lighttpd Architecture: any # Omitting this triggers a Lintian error # That's a false positive these days Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, lsb-base (>= 3.2-14) | systemd (>= 29.1), mime-support, libterm-readline-perl-perl Provides: httpd, httpd-cgi Suggests: openssl, rrdtool, apache2-utils, ufw Recommends: spawn-fcgi Description: fast webserver with minimal memory footprint lighttpd is a small webserver and fast webserver developed with security in mind and a lot of features. It has support for * CGI, FastCGI and SSI * virtual hosts * URL rewriting * authentication (plain files, htpasswd, LDAP) * transparent content compression * conditional configuration * HTTP proxying and configuration is straight-forward and easy. Package: lighttpd-doc Architecture: all Section: doc Depends: ${misc:Depends} Suggests: lighttpd Description: documentation for lighttpd This package contains all documentation files for lighttpd. Package: lighttpd-mod-mysql-vhost Architecture: any Depends: lighttpd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: MySQL-based virtual host configuration for lighttpd This package contains the myqsl_vhost module for lighttpd. With this module, it is possible to write the configuration for virtual hosts into a MySQL table instead of including it in the lighttpd configuration file. Package: lighttpd-mod-trigger-b4-dl Architecture: any Depends: lighttpd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Replaces: lighttpd (<< 1.4.10-5) Recommends: memcached Description: anti-deep-linking module for lighttpd The trigger-b4-dl module for lighttpd can prevent deep linking from other sites by requiring users to visit a trigger URL to be able to download certain files. Package: lighttpd-mod-cml Architecture: any Depends: lighttpd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Recommends: memcached Description: cache meta language module for lighttpd With the cache meta language, it is possible to describe to the dependencies of a cached file to its source files/scripts. For the cache files, the scripting language LUA is used. . THIS MODULE IS OBSOLETED AND WILL BE REMOVED IN LIGHTTPD 2.0. USE mod_magnet INSTEAD. Package: lighttpd-mod-magnet Architecture: any Depends: lighttpd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: control the request handling module for lighttpd mod_magnet can attract a request in several stages in the request-handling. either at the same level as mod_rewrite, before any parsing of the URL is done or at a later stage, when the doc-root is known and the physical-path is already setup Package: lighttpd-mod-webdav Architecture: any Depends: lighttpd (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: WebDAV module for lighttpd The WebDAV module is a very minimalistic implementation of RFC 2518. Minimalistic means that not all operations are implemented yet. . Currently supports: GET POST HEAD PROPFIND OPTIONS MKCOL DELETE PUT Package: lighttpd-dev Architecture: any Suggests: lighttpd Depends: ${shlibs:Depends}, ${misc:Depends} Description: Development files for lighttpd This package contains the development header-files for lighttpd. debian/lighttpd-mod-trigger-b4-dl.install0000664000000000000000000000017212271762011015514 0ustar debian/tmp/usr/lib/lighttpd/mod_trigger_b4_dl.so debian/conf-available2/10-trigger-b4-dl.conf etc/lighttpd/conf-available debian/source/0000775000000000000000000000000012271762011010467 5ustar debian/source/options0000664000000000000000000000010312271762011012077 0ustar --extend-diff-ignore='src/mod_ssi_exprparser.c|src/configparser.c' debian/source/format0000664000000000000000000000001412271762011011675 0ustar 3.0 (quilt) debian/lighttpd.logrotate0000664000000000000000000000064312271762011012733 0ustar /var/log/lighttpd/*.log { weekly missingok rotate 12 compress delaycompress notifempty sharedscripts postrotate if [ -x /usr/sbin/invoke-rc.d ]; then \ invoke-rc.d lighttpd reopen-logs > /dev/null 2>&1; \ else \ /etc/init.d/lighttpd reopen-logs > /dev/null 2>&1; \ fi; \ endscript } debian/lighttpd.tmpfile.conf0000664000000000000000000000005512271762011013314 0ustar d /var/run/lighttpd 0750 www-data www-data - debian/NEWS0000664000000000000000000000371412271762011007673 0ustar lighttpd (1.4.31-4) unstable; urgency=high The default Debian configuration file for PHP invoked from FastCGI was vulnerable to local symlink attacks and race conditions when an attacker manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3) before the web server started. Possibly the web server could have been tricked to use a forged PHP. The problem lies in the configuration, thus this update will fix the problem only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf If you did, dpkg will not overwrite your changes. Please make sure to set "socket" => "/var/run/lighttpd/php.socket" yourself in that case. -- Arno Töll Thu, 14 Mar 2013 01:57:42 +0100 lighttpd (1.4.30-1) unstable; urgency=medium This releases includes an option to force Lighttpd to honor the cipher order in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details. To minimze the risk of this attack it is recommended either to disable all CBC ciphers (beware: this will break reasonably old clients or those who support CBC ciphers only), or pursue clients to use safe ciphers where possible at least. To do so, set ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" ssl.honor-cipher-order = "enable" in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled host you configured. If you did not change this file previously, this upgrade will update it automatically. [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html -- Arno Töll Sun, 18 Dec 2011 20:26:50 +0100 lighttpd (1.4.23-1) unstable; urgency=low spawn-fcgi is now separate package. Please install "spawn-fcgi" package if you need it. -- Krzysztof Krzyżaniak (eloy) Thu, 09 Jul 2009 15:53:14 +0200 debian/index.html0000664000000000000000000000676012271762011011175 0ustar Welcome page

You should replace this page with your own web pages as soon as possible.

Unless you changed its configuration, your new server is configured as follows:
  • Configuration files can be found in /etc/lighttpd. Please read /etc/lighttpd/conf-available/README file.
  • The DocumentRoot, which is the directory under which all your HTML files should exist, is set to /var/www.
  • CGI scripts are looked for in /usr/lib/cgi-bin, which is where Ubuntu packages will place their scripts. You can enable cgi module by using command "lighty-enable-mod cgi".
  • Log files are placed in /var/log/lighttpd, and will be rotated weekly. The frequency of rotation can be easily changed by editing /etc/logrotate.d/lighttpd.
  • The default directory index is index.html, meaning that requests for a directory /foo/bar/ will give the contents of the file /var/www/foo/bar/index.html if it exists (assuming that /var/www is your DocumentRoot).
  • You can enable user directories by using command "lighty-enable-mod userdir"

About this page

This is a placeholder page installed by the Ubuntu release of the Lighttpd server package.

This computer has installed the Ubuntu operating system, but it has nothing to do with the Ubuntu Project. Please do not contact the Ubuntu Project about it.

If you find a bug in this Lighttpd package, or in Lighttpd itself, please file a bug report on it. Instructions on doing this, and the list of known bugs of this package, can be found in the Ubuntu Bug Tracking System.

Valid XHTML 1.0 Transitional

debian/lighttpd-mod-webdav.install0000664000000000000000000000016412271762011014422 0ustar debian/tmp/usr/lib/lighttpd/mod_webdav.so debian/conf-available2/10-webdav.conf /etc/lighttpd/conf-available debian/lighttpd.maintscript0000664000000000000000000000011212271762011013257 0ustar rm_conffile /etc/lighttpd/conf-available/10-access.conf 1.4.31-4 lighttpd debian/lighttpd.preinst0000664000000000000000000000172712271762011012423 0ustar #!/bin/sh # preinst script for lighttpd set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in install) ;; upgrade) if [ "x$2" != "x" ]; then # We upgrade from Squeeze or older, remove alternative as spawn-fcgi is not provided anymore. # This should have been done since 1.4.26-1 but was accidentally forgotten if dpkg --compare-versions "$2" lt 1.4.28-4 then update-alternatives --remove spawn-fcgi /usr/bin/spawn-fcgi.lighttpd || true update-alternatives --remove spawn-fcgi.1.gz /usr/share/man/man1/spawn-fcgi.lighttpd.1.gz || true fi fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/lighttpd.install0000664000000000000000000000340312271762011012376 0ustar debian/tmp/usr/sbin/* debian/tmp/usr/share/man/* debian/tmp/usr/lib/lighttpd/mod_access.so debian/tmp/usr/lib/lighttpd/mod_accesslog.so debian/tmp/usr/lib/lighttpd/mod_alias.so debian/tmp/usr/lib/lighttpd/mod_auth.so debian/tmp/usr/lib/lighttpd/mod_cgi.so debian/tmp/usr/lib/lighttpd/mod_compress.so debian/tmp/usr/lib/lighttpd/mod_dirlisting.so debian/tmp/usr/lib/lighttpd/mod_evasive.so debian/tmp/usr/lib/lighttpd/mod_evhost.so debian/tmp/usr/lib/lighttpd/mod_expire.so debian/tmp/usr/lib/lighttpd/mod_extforward.so debian/tmp/usr/lib/lighttpd/mod_fastcgi.so debian/tmp/usr/lib/lighttpd/mod_flv_streaming.so debian/tmp/usr/lib/lighttpd/mod_indexfile.so debian/tmp/usr/lib/lighttpd/mod_proxy.so debian/tmp/usr/lib/lighttpd/mod_redirect.so debian/tmp/usr/lib/lighttpd/mod_rewrite.so debian/tmp/usr/lib/lighttpd/mod_rrdtool.so debian/tmp/usr/lib/lighttpd/mod_scgi.so debian/tmp/usr/lib/lighttpd/mod_secdownload.so debian/tmp/usr/lib/lighttpd/mod_setenv.so debian/tmp/usr/lib/lighttpd/mod_simple_vhost.so debian/tmp/usr/lib/lighttpd/mod_ssi.so debian/tmp/usr/lib/lighttpd/mod_staticfile.so debian/tmp/usr/lib/lighttpd/mod_status.so debian/tmp/usr/lib/lighttpd/mod_userdir.so debian/tmp/usr/lib/lighttpd/mod_usertrack.so debian/lighttpd.conf /etc/lighttpd debian/conf-available/* /etc/lighttpd/conf-available debian/create-mime.assign.pl /usr/share/lighttpd/ debian/include-conf-enabled.pl /usr/share/lighttpd/ debian/use-ipv6.pl /usr/share/lighttpd/ debian/lighty-enable-mod /usr/sbin/ debian/index.html /usr/share/lighttpd/ debian/lighttpd.service /lib/systemd/system/ debian/lighttpd.tmpfile.conf /usr/lib/tmpfiles.d/ debian/lighttpd-doc.install0000664000000000000000000000005212271762011013136 0ustar doc/outdated/*.txt usr/share/doc/lighttpd debian/conf-available2/0000775000000000000000000000000012271762011012114 5ustar debian/conf-available2/10-cml.conf0000664000000000000000000000111312271762011013750 0ustar ## CML is a Meta language to describe the dependencies of a page ## at one side and building a page from its fragments on the ## other side using LUA. ## ## /usr/share/doc/lighttpd/cml.txt server.modules += ( "mod_cml" ) ## the extension for file with cache information. With .cml, ## the cache info file for index.html is index.cml cml.extension = ".cml" index-file.names += ( "index" + cml.extension ) ## the memcached used by mod_cml # cml.memcache-hosts = ( "127.0.0.1:11211" ) ## a cml file that is executed for each request # cml.power-magnet = "/var/www/power-magnet.cml" debian/conf-available2/10-webdav.conf0000664000000000000000000000107112271762011014450 0ustar ## WebDAV stands for Web-based Distributed Authoring and Versioning. ## The term also refers to the set of extensions to the HTTP protocol that ## the group defined which allows users to collaboratively edit and manage ## files on remote web servers. ## # /usr/share/doc/lighttpd/webdav.txt # http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV server.modules += ( "mod_webdav" ) ## The full path to the file you would like to use as your db file. This ## is required for webdav props and locks. webdav.sqlite-db-name = "/var/run/lighttpd/lighttpd.webdav_lock.db" debian/conf-available2/10-trigger-b4-dl.conf0000664000000000000000000000147612271762011015554 0ustar ## A module to prevent deep-linking from other sites. ## # /usr/share/doc/lighttpd/trigger-b4-dl.html server.modules += ( "mod_trigger_b4_dl" ) ## guarded download URL, direct access is denied #trigger-before-download.download-url = "^/download/" ## trigger URL to allow downloads from #trigger-before-download.trigger-url = "^/trigger/" ## if access to a file is denied, the user is redirected to this URL #trigger-before-download.deny-url = "/var/www/deny.html" ## access to granted for seconds after the trigger #trigger-before-download.trigger-timeout = 10 ## storage of trigger information. If both destinations are provided, ## the GDBM file takes precedence. #trigger-before-download.gdbm-filename = "/var/www/data/trigger.db" #trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" ) debian/conf-available2/10-magnet.conf0000664000000000000000000000020212271762011014446 0ustar # /usr/share/doc/lighttpd/magnet.txt.gz # http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet server.modules += ( "mod_magnet" ) debian/lighttpd.postrm0000664000000000000000000000110212271762011012246 0ustar #!/bin/sh -e # postrm script for lighttpd set -e if [ "$1" = "purge" ]; then rm -rf /var/log/lighttpd /var/run/lighttpd /var/cache/lighttpd if [ -d /etc/lighttpd/conf-enabled/ ] ; then # The loop below fixes #642494 (mostly) for link in /etc/lighttpd/conf-enabled/*.conf ; do target=$(readlink "$link") || true if [ -n "$target" ] && [ ! -e "/etc/lighttpd/conf-enabled/$target" ] ; then echo "removing dangling symlink $link ..." rm -f $link fi done fi fi #DEBHELPER# exit 0 debian/lighttpd.conf0000664000000000000000000000205112271762011011653 0ustar server.modules = ( "mod_access", "mod_alias", "mod_compress", "mod_redirect", # "mod_rewrite", ) server.document-root = "/var/www" server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/var/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) compress.cache-dir = "/var/cache/lighttpd/compress/" compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) # default listening port for IPv6 falls back to the IPv4 port ## Use ipv6 if available #include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port include_shell "/usr/share/lighttpd/create-mime.assign.pl" include_shell "/usr/share/lighttpd/include-conf-enabled.pl" debian/rules0000775000000000000000000000226712271762011010256 0ustar #!/usr/bin/make -f # uncomment to enable verbose mode #export DH_VERBOSE=1 %: dh $@ --with autoreconf,systemd override_dh_auto_configure: dh_auto_configure -- \ --disable-dependency-tracking \ --libdir=/usr/lib/lighttpd \ --libexecdir="/usr/lib/lighttpd" \ --with-attr \ --with-fam \ --with-gdbm \ --with-kerberos5 \ --with-ldap \ --with-lua=lua5.1 \ --with-memcache \ --with-mysql \ --with-openssl \ --with-pcre \ --with-webdav-locks \ --with-webdav-props \ $(shell dpkg-buildflags --export=configure) override_dh_install: dh_install install -m644 debian/lighttpd.ufw.profile debian/lighttpd/etc/ufw/applications.d/lighttpd override_dh_fixperms: dh_fixperms chmod 0750 debian/lighttpd/var/log/lighttpd chown www-data:www-data debian/lighttpd/var/cache/lighttpd/compress debian/lighttpd/var/cache/lighttpd/uploads chown www-data:www-data debian/lighttpd/var/log/lighttpd override_dh_installinit: dh_installinit --error-handler=true -- defaults 91 09 debian/gbp.conf0000664000000000000000000000003612271762011010605 0ustar [DEFAULT] pristine-tar = True debian/compat0000664000000000000000000000000212271762011010365 0ustar 9 debian/lighttpd.service0000664000000000000000000000035212271762011012370 0ustar [Unit] Description=Lighttpd Daemon After=network.target [Service] ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf [Install] WantedBy=multi-user.target debian/lighttpd.init0000664000000000000000000000550712271762011011702 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: lighttpd # Required-Start: $syslog $remote_fs $network # Required-Stop: $syslog $remote_fs $network # Should-Start: fam # Should-Stop: fam # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start the lighttpd web server. # Description: Fast and smalle webserver with minimal memory footprint # developed with security in mind HTTP/1.1 compliant caching # proxy server. ### END INIT INFO PATH=/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/sbin/lighttpd NAME=lighttpd DESC="web server" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME DAEMON_OPTS="-f /etc/lighttpd/lighttpd.conf" test -x $DAEMON || exit 0 set -e check_syntax() { $DAEMON -t $DAEMON_OPTS > /dev/null || exit $? } if [ "$1" != status ]; then # be sure there is a /var/run/lighttpd, even with tmpfs # The directory is defined as volatile and may thus be non-existing # after a boot (DPM §9.3.2) if ! dpkg-statoverride --list /var/run/lighttpd >/dev/null 2>&1; then install -d -o www-data -g www-data -m 0750 "/var/run/lighttpd" fi fi . /lib/lsb/init-functions case "$1" in start) check_syntax log_daemon_msg "Starting $DESC" $NAME if ! start-stop-daemon --start --oknodo --quiet \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS then log_end_msg 1 else log_end_msg 0 fi ;; stop) log_daemon_msg "Stopping $DESC" $NAME if start-stop-daemon --stop --retry 30 --oknodo --quiet \ --pidfile $PIDFILE --exec $DAEMON then rm -f $PIDFILE log_end_msg 0 else log_end_msg 1 fi ;; reload|force-reload) check_syntax log_daemon_msg "Reloading $DESC configuration" $NAME if start-stop-daemon --stop --signal INT --quiet \ --pidfile $PIDFILE --exec $DAEMON then rm $PIDFILE if start-stop-daemon --start --quiet \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS ; then log_end_msg 0 else log_end_msg 1 fi else log_end_msg 1 fi ;; reopen-logs) log_daemon_msg "Reopening $DESC logs" $NAME if start-stop-daemon --stop --signal HUP --oknodo --quiet \ --pidfile $PIDFILE --exec $DAEMON then log_end_msg 0 else log_end_msg 1 fi ;; restart) check_syntax $0 stop $0 start ;; status) status_of_proc -p "$PIDFILE" "$DAEMON" lighttpd && exit 0 || exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|status}" >&2 exit 1 ;; esac exit 0 debian/lighttpd.dirs0000664000000000000000000000026612271762011011675 0ustar etc/lighttpd/conf-available etc/lighttpd/conf-enabled etc/ufw/applications.d usr/lib/cgi-bin usr/sbin var/cache/lighttpd/compress var/cache/lighttpd/uploads var/log/lighttpd var/www debian/create-mime.assign.pl0000775000000000000000000000071512271762011013205 0ustar #!/usr/bin/perl -w use strict; open MIMETYPES, "/etc/mime.types" or exit; print "mimetype.assign = (\n"; my %extensions; while() { chomp; s/\#.*//; next if /^\w*$/; if(/^([a-z0-9\/+-.]+)\s+((?:[a-z0-9.+-]+[ ]?)+)$/) { foreach(split / /, $2) { # mime.types can have same extension for different # mime types next if $extensions{$_}; $extensions{$_} = 1; print "\".$_\" => \"$1\",\n"; } } } print ")\n"; debian/changelog0000664000000000000000000017116512271762011011054 0ustar lighttpd (1.4.33-1+nmu2ubuntu2) trusty; urgency=medium * Use dh-autoreconf to regenerate autotools files, fixes FTBFS with automake 1.14.1 (Closes: #726934) * Add lighttpd.pc to ac_config_files to fix FTBFS: make[3]: *** No rule to make target `lighttpd.pc', needed by `all-am'. -- Andreas Moog Tue, 28 Jan 2014 18:08:02 +0100 lighttpd (1.4.33-1+nmu2ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: - debian/index.html: corrected BTS Ubuntu link for lighttpd. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake (>=1.14), libtool. + debian/lighttpd-dev.install: Added. - debian/control: libgamin-dev rather than libfam-dev to fix startup warning. - debian/rules: Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. -- Mahyuddin Susanto Wed, 18 Dec 2013 14:30:01 +0700 lighttpd (1.4.33-1+nmu2) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix regression caused by the fix for cve-2013-4508 (closes: #729480). -- Michael Gilbert Sat, 16 Nov 2013 22:29:07 +0000 lighttpd (1.4.33-1+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team (closes: #729453). * Fix cve-2013-4508: ssl cipher suites issue. * Fix cve-2013-4559: setuid privilege escalation issue. * Fix cve-2013-4560: use-after-free in fam. -- Michael Gilbert Wed, 13 Nov 2013 02:19:47 +0000 lighttpd (1.4.33-1ubuntu1) trusty; urgency=low * Merge from Debian unstable (LP: #1246886). Remaining changes: - debian/index.html: corrected BTS Ubuntu link for lighttpd. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake (>=1.14), libtool. + debian/lighttpd-dev.install: Added. - debian/control: libgamin-dev rather than libfam-dev to fix startup warning. - debian/rules: Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. - debian/patches/build-dev-package.patch: Updated to reflect 1.4.33 changes. -- Mattia Rizzolo Wed, 30 Oct 2013 15:52:50 +0100 lighttpd (1.4.33-1) unstable; urgency=low * Drop the connection-dos.patch - merged upstream. * Fix "mod_extforward missing configuration file": ship requested configuration file (Closes: #697304) * Remove access.conf, an obsolete conffiles as we should have done since 2010 (Closes: #703215) * Push debhelper's compat mode to 9, the use of maintscript helper requires 8.1 so we had to push the debhelper b-d anyway. * Fix "config.guess/config.sub out of date for arm64" by adding the patch provided by Colin Watson. Thanks (Closes: #726394). * Fix "[PATCH] use dh-systemd for proper systemd-related maintscripts" to add systemd support. Thanks to Michael Stapelberg (Closes: #713859) -- Arno Töll Tue, 15 Oct 2013 21:24:49 +0200 lighttpd (1.4.31-4) unstable; urgency=high * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is world-writable which may cause security implications if an attacker manages to control /tmp/php.socket before the web server (re-)starts. * Switch VCS to git * Push standards version (no changes) -- Arno Töll Thu, 14 Mar 2013 02:20:07 +0100 lighttpd (1.4.31-3ubuntu3) saucy; urgency=low * Use the autotools-dev dh addon to update config.guess/config.sub for arm64. -- Colin Watson Tue, 15 Oct 2013 11:01:00 +0100 lighttpd (1.4.31-3ubuntu2) raring; urgency=low * Import change from debian version 1.4.31-4: - CVE-2013-1427: Switch the socket path for PHP when using FASTCGI. /tmp is world-writable which may cause security implications if an attacker manages to control /tmp/php.socket before the web server (re-)starts. -- Lorenzo De Liso Mon, 25 Mar 2013 11:55:53 +0100 lighttpd (1.4.31-3ubuntu1) raring; urgency=low * Merge from debian unstable, remaining changes: - debian/control: libgamin-dev rather than libfam-dev to fix startup warning. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake, libtool + debian/lighttpd-dev.install: Added. - debian/rules: Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. - debian/patches/build-dev-package.patch: Updated - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4 * debian/index.html: corrected BTS Ubuntu link for lighttpd -- Lorenzo De Liso Thu, 06 Dec 2012 17:54:59 +0100 lighttpd (1.4.31-3) unstable; urgency=high * Fix "configuration files refer to wrong path for documentation" by merging a patch supplied by Denis Laxalde (Closes: #676641) * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending faulty Connection headers -- Arno Töll Wed, 21 Nov 2012 14:42:32 +0100 lighttpd (1.4.31-1) unstable; urgency=low * New upstream release * Be more careful when removing dangling symlinks, as introduced in 1.4.30-1. Under some configurations the postrm script could fail previously. * Change the use-ipv6.pl script to read the default listening port as a command line argument, fall back to the old default behavior otherwise (Closes: #632723, #642604). Thanks to Sebastian Pipping to accidentally give a hint how to fix this old problem by driving by. * Push standards version to 3.9.3.1 - no further changes * Fix "[lighttpd] "ldap" lowercase in extended description" by fixing the typo (Closes: #670206) * Update my maintainer address -- Arno Töll Fri, 01 Jun 2012 23:46:05 +0200 lighttpd (1.4.30-1) unstable; urgency=medium * New upstream release + Fix integer overflow (CVE-2011-4362) (Closes: #652726) + Fix attack vector as disclosed by the SSL BEAST attack (related: CVE-2011-3389). Note: If you are upgrading from an older version you need to change your configuration to mitigate effects of the attack. See the corresponding NEWS file for details. + Count SSL renegotiations to prevent client renegotiations * Urgency set to medium due to security updates. * Adapt to dpkg 1.16.1 API changes regarding build flags. This enables hardening build flags. This means, lighttpd is now being built with -fstack-protector and other security related build flags. * Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are properly supported. That's guaranteed for Testing, but might be helpful to know for backporters. * Fix "Doesn't remove /etc/lighttpd on purge" by removing dangling symlinks /only/. This does not entirely fix the problem of the maintainer, but we can not simply remove all files in /etc/lighttpd as other packages or the user himself might have left configuration files back (Closes: #642494) * Fix "please include systemd service file" Support systemd as alternative to sysvinit, ship systemd and tempfiles.d configuration files. Thanks to Michael Stapelberg for providing the required files (Closes: #652442) -- Arno Töll Tue, 20 Dec 2011 11:36:09 +0100 lighttpd (1.4.29-1) unstable; urgency=low * New upstream release * Fix "lighty-enable-mod should return non-zero on fail" Update script to leave with appropriate exit status (Closes: #629638) * Remove the following patches: + silence-errors.diff - applied upstream + patches/ssl-fix.patch - applied upstream * Add `debian/source/options' to make dpkg-source ignore glitches done by upstream's Makefile in `src/mod_ssi_exprparser.c' and `src/configparser.c' * Run maintainer scripts with `set -e' -- Arno Töll Mon, 04 Jul 2011 17:30:11 +0200 lighttpd (1.4.28-5) unstable; urgency=low * Build with sbuilder to avoid linking to non-existed packages. -- Krzysztof Krzyżaniak (eloy) Tue, 26 Apr 2011 15:05:06 +0200 lighttpd (1.4.28-4) unstable; urgency=low [ Krzysztof Krzyżaniak (eloy) ] * Add Arno Töll to Uploaders [ Arno Töll ] * Fix "leaves dangling alternatives on upgrade" add preinst script which removes the dangling symlink (Closes: #614716) * Fix "/etc/lighttpd/conf-available/15-fastcgi-php.conf: fastcgi-php file missing a required directive" add a dependency based recursive module enable system in lighty-enable-mod (Closes: #600050) * Fix "binNMU for openssl 1.0.0 broke SSL support" backport fix from upstream to avoid name clashes between OpenSSL and Lighty's MD5 implementation (Closes: #622733) -- Arno Töll Sat, 09 Apr 2011 13:22:45 -0400 lighttpd (1.4.28-3) unstable; urgency=low [ Krzysztof Krzyżaniak (eloy) ] * Updated debian/control and debian/copyright files * fix for debhelper-overrides-need-versioned-build-depends (>= 7.0.50~) * debian/compat: increased to 8 [ Olaf van der Spek] * Don't fail install if server fails to start (closes: #383425) * Fix index-file.names typo (closes: #609890) -- Olaf van der Spek Mon, 03 Jan 2011 22:56:38 +0100 lighttpd (1.4.28-2ubuntu4) precise; urgency=low * debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in src/http_auth.c:67 (LP: #906792) - CVE-2011-4362 -- Mahyuddin Susanto Tue, 20 Dec 2011 17:32:22 +0700 lighttpd (1.4.28-2ubuntu3) precise; urgency=low * Rebuild for libmysqlclient transition -- Clint Byrum Wed, 23 Nov 2011 23:54:14 -0800 lighttpd (1.4.28-2ubuntu2) oneiric; urgency=low * No-change rebuild for openssl0.9.8 -> openssl1.0.0 transition. -- Ilya Barygin Sun, 21 Aug 2011 00:26:14 +0400 lighttpd (1.4.28-2ubuntu1) natty; urgency=low * Merge from debian unstable. Remaining changes: - debian/control: + libgamin-dev rather than libfam-dev to fix startup warning. + debhelper Build-depends bumped to (>= 7.0.50) for overrides in rules file. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake, libtool + debian/lighttpd-dev.install: Added. - debian/rules: + Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. - debian/patches/build-dev-package.patch: Updated - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4 (LP: #551211) -- Bhavani Shankar Sun, 21 Nov 2010 12:09:27 +0530 lighttpd (1.4.28-2) unstable; urgency=medium [ Olaf van der Spek ] * Use relative instead of absolute links for conf-enabled (closes: #541645) * Fix /doc/ for IPv6 (closes: #512583) [ Krzysztof Krzyżaniak (eloy) ] * Added patch patches/silence-errors.diff (closes: #601177) -- Krzysztof Krzyżaniak (eloy) Fri, 12 Nov 2010 12:08:48 +0100 lighttpd (1.4.28-1ubuntu1) natty; urgency=low * Merge from debian unstable, remaining changes: - debian/control: + libgamin-dev rather than libfam-dev to fix startup warning. + debhelper Build-depends bumped to (>= 7.0.50) for overrides in rules file. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake, libtool + debian/lighttpd-dev.install: Added. - debian/rules: + Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. - debian/patches/build-dev-package.patch: Updated - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4 (LP: #551211) * debian/patches/build-dev-package.patch: updated * Dropped changes: - debian/lighttpd.init: clean environment; Check syntax during start/reload: this change has been applied in the debian package - syntax_check function defined in init script. (LP: #600767): this change has been applied in the debian package - debian/patches/build-dev-package.patch: Updated: patch updated newly -- Lorenzo De Liso Fri, 15 Oct 2010 21:01:50 +0200 lighttpd (1.4.28-1) unstable; urgency=low [ Olaf van der Spek ] * New upstream release (closes: 521235, 572031, 564556) * Add check_syntax() from Ubuntu (closes: 589200) -- Thijs Kinkhorst Mon, 30 Aug 2010 20:53:18 +0200 lighttpd (1.4.26-3ubuntu2) maverick; urgency=low * syntax_check function defined in init script. (LP: #600767) -- David Sugar Thu, 15 Jul 2010 17:50:35 +0000 lighttpd (1.4.26-3ubuntu1) maverick; urgency=low * Merge from debian unstable (LP: #599010), remaining changes: - debian/control: + libgamin-dev rather than libfam-dev to fix startup warning. + debhelper Build-depends bumped to (>= 7.0.50) for overrides in rules file. - debian/lighttpd.init: clean environment; Check syntax during start/reload restart/force-reload. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake, libtool + debian/lighttpd-dev.install: Added. - debian/rules: + Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. - debian/patches/build-dev-package.patch: Updated - debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4 (LP: #551211) -- Lorenzo De Liso Sun, 27 Jun 2010 13:13:01 +0200 lighttpd (1.4.26-3) unstable; urgency=low * Ack for NMU, fix for SSL incompatibility (closes: #572031) -- Krzysztof Krzyżaniak (eloy) Thu, 03 Jun 2010 21:22:24 +0200 lighttpd (1.4.26-2) unstable; urgency=low [ Krzysztof Krzyżaniak (eloy) ] * Switch to dpkg-source 3.0 (quilt) format * debian/control: + removed Franz Pletz from Uploaders, he's MIA (closes: #579366) + change dependency from libmysqlclient15-dev to more general libmysqlclient-dev [ Olaf van der Spek ] * take conf dir as an optional parameter (closes: 489854) * don't try to make /var/run/lighttpd when invoked with status (closes: 538662) * split FastCGI PHP conf from FastCGI conf (closes: 515699) * reduce max-procs from 2 to 1 (closes: 456200) * move debian doc handling into it's own file * set default vhost dir to /srv//htdocs (closes: 471054) * use delaycompress instead of copytruncate for logrotate (closes: 563626) * don't wait for old process to stop before starting new one for reload (closes: 504315) * use reopen-logs for logrotate (closes: 504319) * add no-www.conf (for use with evhost and simple-vhost, closes: 471055) * move evhost conf into it's own file -- Krzysztof Krzyżaniak (eloy) Tue, 01 Jun 2010 17:08:42 +0200 lighttpd (1.4.26-1.1ubuntu3) lucid; urgency=low * debian/control: Rebuild for libmysqlclient transition. -- Chuck Short Tue, 06 Apr 2010 06:12:07 -0400 lighttpd (1.4.26-1.1ubuntu2) lucid; urgency=low * debian/lighttpd.conf: Comment 'use-ipv6.pl' by default, which causes failure to bind port in ipv4 (LP: #551211) -- Andres Rodriguez Sat, 03 Apr 2010 15:37:37 -0400 lighttpd (1.4.26-1.1ubuntu1) lucid; urgency=low * Merge from debian unstable (LP: #407722). Remaining changes: - debian/control: libgamin-dev rather than libfam-dev to fix startup warning. - debian/init.d: clean environment; Check syntax during start/reload restart/force-reload. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. - Add lighttpd-dev package: + debian/control: Added lighttpd-dev package; Build-depends on automake, libtool + debian/lighttpd-dev.install: Added. * debian/control: debhelper Build-depends bumped to (>= 7.0.50) for overrides in rules file. * debian/rules: - Add override_dh_installinit to set "defaults 91 09" to not start before apache2 but in the same runlevel with the same priority. * debian/patches/build-dev-package.patch: Updated * Also closes: (LP: #521659, LP: #523682) -- Andres Rodriguez Sat, 27 Mar 2010 15:53:32 -0400 lighttpd (1.4.26-1.1) unstable; urgency=low * Non-maintainer upload. * Apply upstream patch to fix openssl (closes: #572031) -- John Ham Mon, 15 Mar 2010 13:31:52 +0700 lighttpd (1.4.26-1) unstable; urgency=low * New upstream release (closes: #568735) * Use provided patch from Andres Rodriguez to implement status action in init.d script (closes: #539955) -- Krzysztof Krzyżaniak (eloy) Tue, 09 Feb 2010 18:02:13 +0100 lighttpd (1.4.25-2) unstable; urgency=low * Change behaviour of use-ipv6.pl script (closes: #560837) -- Krzysztof Krzyżaniak (eloy) Mon, 30 Nov 2009 14:23:03 +0100 lighttpd (1.4.25-1) unstable; urgency=low * New upstream release (closes: #558045) * debian/watch: updated * debian/control: Section field changed to web -- Krzysztof Krzyżaniak (eloy) Mon, 30 Nov 2009 14:03:15 +0100 lighttpd (1.4.24-1) unstable; urgency=low * New upstream release (closes: #530892) (closes: #538135) (closes: #482601) (closes: #541428) * debian/control: + Standards-Version: 3.8.3 * debian/init.d renamed to debian/lighttpd.init * Added $syslog to LSB header in init script (closes: #545576) (Jeremy Lal ) * debian/init.d: force-reload moved to reload section (closes: #538661) (Peter Eisentraut ) -- Krzysztof Krzyżaniak (eloy) Fri, 30 Oct 2009 17:37:29 +0100 lighttpd (1.4.23-3) unstable; urgency=low * debian/rules: make sure that scripts have proper rights (closes: #536668), (closes: #536681), (closes: #536688) (closes: #536668) -- Krzysztof Krzyżaniak (eloy) Mon, 13 Jul 2009 11:17:09 +0200 lighttpd (1.4.23-2) unstable; urgency=low * Add lighttpd.docs with README & NEWS file * New upstream closes wishlist bugs (closes: #535065) (closes: #515777) -- Krzysztof Krzyżaniak (eloy) Fri, 10 Jul 2009 11:11:15 +0200 lighttpd (1.4.23-1) unstable; urgency=low * New upstream release * spawn-fcgi is now separate package, recommends it debian/control * Update Standards-Version to 3.8.2 without changes * Remove cdbs, patchutils from Build-Depends, debian/rules uses debhelper 7 scripts * lighttpd.logrotate apply patch (closes: #535523) from Ubuntu (Daniel Hahler, https://launchpad.net/bugs/393792) -- Krzysztof Krzyżaniak (eloy) Thu, 09 Jul 2009 11:24:16 +0200 lighttpd (1.4.22-1ubuntu4) karmic; urgency=low * Fix FTBFS, replaced automake with automake1.10 on Build-Depends (LP #447672) -- Joao Pinto Sat, 10 Oct 2009 00:08:19 +0000 lighttpd (1.4.22-1ubuntu3) karmic; urgency=low * debian/lighttpd.logrotate: check if lighttpd is running, before calling reload, which would start the daemon if it is not running currently (LP: #393792) -- Daniel Hahler Fri, 03 Jul 2009 01:05:29 +0200 lighttpd (1.4.22-1ubuntu2) karmic; urgency=low * Introduce patches to introduce a -dev package for lighttpd. Closes (LP: #326899). Should merge seamlessly in the future. [ Andreas Moog ] * debian/control - add lighttpd-dev package * debian/patches - add build-dev-package.patch to include pkg-config files for lighttpd * debian/ - add lighttpd-dev.install [ Morten Kjeldgaard ] * debian/rules: add DEB_AUTO_UPDATE_* variables to ensure autotool files get updated with our patches. * Minor cleanups and update Andreas' patches to version 1.4.22. -- Morten Kjeldgaard Thu, 18 Jun 2009 14:57:10 +0200 lighttpd (1.4.22-1ubuntu1) karmic; urgency=low * Merge from debian unstable (LP: #384367), remaining changes: - debian/control: Depend on lsb (>= 3.2-14), which has the status_of_proc() function; libgamin-dev rather than libfam-dev to fix startup warning. - debian/init.d: Add the 'status' action, clean environment; Check syntax during start/reload/restart/force-reload. - debian/rules: set DEB_UPDATE_RCD_PARAMS to "defaults 91 09" to not start lighty before apache2 but in the same runlevel with the same priority; Make sure that upgrades succeed, even if we can't restart lighttpd. - debian/index.html: s/Debian/Ubuntu/g branding on the default page. - Added a UFW profile set: + debian/lighttpd.dirs: added etc/ufw/applications.d + debian/rules: install the ufw profile. + debian/control: Suggests on ufw. * debian/patches/fix-conf-doc.patch: Update headers to match package version -- Andres Rodriguez Sat, 06 Jun 2009 15:53:28 -0500 lighttpd (1.4.22-1) unstable; urgency=low * New upstream release (closes: #520124) (closes: #516897) (closes: #441173) * debian/control: Update to Standards-Version 3.8.1 (no changes so far), debhelper dependency updated to 7, utfize my name, satisfy lintian * Remove all patches, all fixed upstream but rewrite_redirect_decode_url Do NOT use rewrite/redirect to protect specific urls. -- Krzysztof Krzyżaniak (eloy) Wed, 18 Mar 2009 11:19:55 +0100 lighttpd (1.4.19-5ubuntu7) jaunty; urgency=low * debian/index.html: do not point to edge.launchpad.net (LP: #302845) * Fix documentation reference to virtual hosting by referring to mod_simple_vhost (LP: #247271) - debian/patches/fix-conf-doc.patch -- Daniel Hahler Tue, 17 Mar 2009 22:36:05 +0100 lighttpd (1.4.19-5ubuntu6) jaunty; urgency=low * Finally provide what ~ubuntu3 should have been already, fixing another shell script error (LP: #329595) -- Daniel Hahler Mon, 16 Feb 2009 20:37:19 +0100 lighttpd (1.4.19-5ubuntu5) jaunty; urgency=low * Fix bashism in init.d (LP: #329595) -- Daniel Hahler Sun, 15 Feb 2009 23:53:19 +0100 lighttpd (1.4.19-5ubuntu4) jaunty; urgency=low * Remove check-syntax-on-startup from debian/patches/series because there is not a patch with this name (changes in the last revision were all inside the debian dir) -- Scott Kitterman Sat, 14 Feb 2009 19:07:20 -0500 lighttpd (1.4.19-5ubuntu3) jaunty; urgency=low * init.d: check sytax during start/reload/restart/force-reload. Patch provided by Nic Ferrier. (LP: #286887) -- Daniel Hahler Sat, 14 Feb 2009 22:18:35 +0100 lighttpd (1.4.19-5ubuntu2) jaunty; urgency=low * Added a UFW profile set. (LP: #317994) - debian/lighttpd.dirs: added etc/ufw/applications.d - debian/rules: install the ufw profile - debian/control: lighttpd: suggest ufw -- Jacob Peddicord Fri, 23 Jan 2009 19:43:51 -0500 lighttpd (1.4.19-5ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: - debian/control: Depend on lsb >= 3.2-14, which has the status_of_proc() function; libgamin-dev rather than libfam-dev to fix startup warning - debian/init.d: Add the 'status' action, clean environment - debian/rules: set DEB_UPDATE_RCD_PARAMS to "defaults 91 09" to not start lighty before apache2 but in the same runlevel with the same priority - debian/index.html: s/Debian/Ubuntu/g branding on the default page - debian/compat: standards version 3.7.3, bump compat to 6, adjusted build-dep of debhelper accordingly * Dropped changes - debian/lighttpd.install: all changes upstream now, order adjusted accordingly -- Dustin Kirkland Sat, 22 Nov 2008 21:12:01 -0600 lighttpd (1.4.19-5) unstable; urgency=high * Remove the alias.url stanza from 10-cgi.conf (Closes: #499334). * Add patches for lighttpd security 2008-05 to 2008-07 (no CVE yet): + patches/lighttpd-1.4.x_request_header_memleak.patch + patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch + patches/lighttpd-1.4.x_userdir_lowercase.patch * Urgency set to high for security fix. -- Pierre Habouzit Sat, 27 Sep 2008 12:00:47 +0200 lighttpd (1.4.19-4ubuntu2) intrepid; urgency=low * debian/control: Depend on lsb >= 3.2-14, which has the status_of_proc() function. * debian/init.d: Add the 'status' action (LP: #251924). -- Andres Rodriguez Fri, 25 Jul 2008 11:47:48 -0500 lighttpd (1.4.19-4ubuntu1) intrepid; urgency=low * Merge from debian unstable (LP: #233966), remaining changes: - debian/rules: (From Debian) - Remove spurious mkdir in debian/rules (Closes: dbts 448160). - debian/conf-available/10-rrdtool: (From Debian) + Add sample configuration for the mod_rrdtool (Closes: dbts 462907). - debian/lighttpd.install: + Install 10-rrdtool - debian/patches/ldap-deprecated.dpatch: + Force use of deprecated ldap interfaces (Closes: dbts 463368), thanks to Dann Frazier (patches/ldap-deprecated.dpatch). - debian/rules: (LP: #174289) + set DEB_UPDATE_RCD_PARAMS to "defaults 91 09" to not start lighty before apache2 but in the same runlevel with the same priority - Build against libgamin-dev rather than libfam-dev (fixes a warning during startup) - Make sure that upgrades succeed, even if we can't restart lighttpd. - Clean environment in init.d script. -- Nicolas Valcárcel Thu, 22 May 2008 11:26:16 +0200 lighttpd (1.4.19-4) unstable; urgency=high * Make debian/use-ipv6.pl executable in debian/rules, thanks to Marco d'Itri for finding about this inexcusable mistake. -- Pierre Habouzit Mon, 12 May 2008 17:12:28 +0200 lighttpd (1.4.19-3) unstable; urgency=medium * Fix /var/cache/lighttpd/uploads permissions in postinst (Closes: 476870). * Update patches/ssl-connection-errors.patch using upstream r2144, thanks to upstream for noticing. * cherokee and lighttpd both provide spawn-fcgi, fix that using alternatives (Closes: 479501): + add spawn-fcgi.lighttpd.1 shamelessly stolen from cherokee packaging (thanks Gunnar). + install spawn-fcgi as spawn-fcgi.lighttpd. + install master alternatives on spawn-fcgi.lighttpd and spawn-fcgi.lighttd.1. + add Conflict against cherokee <= 0.6.1-1. * Quote "dangerous" bits of conf-available/10-cgi.conf (Closes: 479276). -- Pierre Habouzit Tue, 06 May 2008 20:01:37 +0200 lighttpd (1.4.19-2) unstable; urgency=low * Add patches/ssl-connection-errors.patch for CVE-2008-1531 (Closes: 475438). * Test for /var/cache/lighttpd/compress in lighttpd.cron.daily to avoid spurious errors for uninstalled and not purged lighttpd's (Closes: 472175). * Add handling of /var/cache/lighttpd/uploads (Closes: 408521): + add it in lighttpd.dirs. + add it as a server.upload-dirs in lighttpd.conf. + purge it daily in lighttpd.cron.daily. * Fix typo in lighttpd.preinst causing failure to update 05-auth symlink properly (Closes: 472119). * init.d: stopping an already stopped lighttpd, or starting an already running one should not fail (Closes: 472122). * Use $HTTP["remoteip"] =~ "127.0.0.1" in configuration snipplets so that it works when ipv6 is enabled by default too (Closes: 473510). * Use perl to detect if the host has ipv6, and generate the server.use-ipv6 snipplet on the fly instead of forcing it to true (Closes: 473053). -- Pierre Habouzit Sun, 13 Apr 2008 13:20:40 +0200 lighttpd (1.4.19-1~bpo40+1) etch-backports; urgency=low * Rebuild for etch-backports. -- Pierre Habouzit Thu, 20 Mar 2008 00:41:49 +0100 lighttpd (1.4.19-1) unstable; urgency=low * New upstream release. * debian/control: + add Build-Depends upon quilt, remove dpatch. + Bump Standards-Version to 3.7.3 (no changes required). + Move Homepage pseudo-headers as real headers. * debian/patches: + migrate to quilt. + remove 05_fdevent_fix.patch (merged upstream). + remove 06_mod_cgi_vuln_fix.patch (merged upstream). + refresh the rest of the series. * debian/lighty-enable-mod: + Reindent and remove trailing spaces. + don't fail to remove a module that is already removed. Patch from Michal Čihař (Closes: 448682). + Allow full stops in module names (Closes: 462199). * debian/lighttpd.conf: + enable ipv6 by default (Closes: 448054). + remove mod_status stanza, create conf-available/10-status.conf with it. * debian/lighttpd.cron.daily: new file, cleanup compressed cache. Thanks to Michal Čihař (Closes: 445224). * be sure mod_auth is loaded first (Closes: 419176): + add debian/lighttpd.preinst to rename 10-auth.conf into 05-auth.conf automagically (when it's a sane thing to do). + Document all that in NEWS.Debian. + debian/lighttpd.install: add 10-status.conf and 05-auth.conf. * debian/lighttpd.postinst: + chmod'ing /var/cache/lighttpd recursively is useless and too long. Just chmod the base directory, content is likely to be only created by lighty anyways. (Closes: 468297). * debian/init.d: + Add $remote_fs and $network (instead of networking) to Required-{Start,Stop}. + Add fam to Should-{Start,Stop} (Closes: 461180). * debian/lighttpd.links: add symlinks on lighty-* so that lighttpd-* commands exists as well (Closes: 435131). -- Pierre Habouzit Sun, 16 Mar 2008 12:01:41 +0100 lighttpd (1.4.19-0ubuntu3) hardy; urgency=low * SECURITY UPDATE: (LP: #209627) + debian/patches/92_CVE-2008-1531.dpatch - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. * References + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531 + http://trac.lighttpd.net/trac/changeset/2136 + http://trac.lighttpd.net/trac/changeset/2139 -- Emanuele Gentili Sun, 06 Apr 2008 00:09:12 +0200 lighttpd (1.4.19-0ubuntu2) hardy; urgency=low * debian/rules: (LP: #174289) - set DEB_UPDATE_RCD_PARAMS to "defaults 91 09" to not start lighty before apache2 but in the same runlevel with the same priority -- Stephan Hermann Mon, 17 Mar 2008 16:50:10 +0100 lighttpd (1.4.19-0ubuntu1) hardy; urgency=low * New upstream release (LP: #201439) For Changes please read the NEWS file All security patches we have in 1.4.18 of hardy are included now upstream * debian/patches/*: All changes introduced by this patches are now applied upstream - Dropped 90_CVE-2008-1111.dpatch - Dropped 91_CVE-2008-1270.dpatch - Dropped 90_maxfds_crash_fix.dpatch - Dropped 03_ldap_leak_bugfix.dpatch - Dropped 04_ldap_build_filter_fix.dpatch - Dropped 90_accept_ranges_fix.dpatch * debian/lighttpd.conf: (From Debian) - Move the aliases on /doc/ and /images/ mandated by policy at the end to circumvent #445459. * debian/rules: (From Debian) - Remove spurious mkdir in debian/rules (Closes: dbts 448160). * debian/conf-available/10-rrdtool: (From Debian) - Add sample configuration for the mod_rrdtool (Closes: dbts 462907). * debian/lighttpd.install: - Install 10-rrdtool * debian/patches/ldap-deprecated.dpatch: - Force use of deprecated ldap interfaces (Closes: dbts 463368), thanks to Dann Frazier (patches/ldap-deprecated.dpatch). * Bumped Standards Version to 3.7.3, Bumbed Compat to 6, adjusted build-dep of debhelper accordingly -- Stephan Hermann Wed, 12 Mar 2008 15:52:09 +0100 lighttpd (1.4.18-4) unstable; urgency=high * The “I HATE DPATCH”-release. * Add patches for real as dpatch-edit-patch is stupid enough for not doing it by itself (Closes: 463368, 469307). -- Pierre Habouzit Tue, 11 Mar 2008 10:07:35 +0100 lighttpd (1.4.18-3) unstable; urgency=high * Force use of deprecated ldap interfaces (Closes: 463368), thanks to Dann Frazier (patches/ldap-deprecated.dpatch). * Add sample configuration for the mod_rrdtool (Closes: 462907). * add patches/06_mod_cgi_vuln_fix.dpatch to fix CVE-2008-1111 (Closes: 469307). * Remove spurious mkdir in debian/rules (Closes: 448160). * Bump urgency for RC bug fixes. -- Pierre Habouzit Sat, 08 Mar 2008 17:30:03 +0100 lighttpd (1.4.18-2) unstable; urgency=high * Move the aliases on /doc/ and /images/ mandated by policy at the end to circumvent #445459. * Add patches/05_fdevent_fix.dpatch to fix possible remote DoS (Closes: 466663). * bump urgency for security fix. -- Pierre Habouzit Wed, 27 Feb 2008 16:56:16 +0100 lighttpd (1.4.18-1ubuntu6) hardy; urgency=low * SECURITY UPDATE: (LP: #200987) + debian/patches/91_CVE-2008-1270.dpatch - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. * References + CVE-2008-1270 + http://trac.lighttpd.net/trac/ticket/1587 + http://trac.lighttpd.net/trac/changeset/2120 -- Emanuele Gentili Tue, 11 Mar 2008 14:16:48 +0100 lighttpd (1.4.18-1ubuntu5) hardy; urgency=low * debian/patches/90-CVE-2008-1111.dpatch: - Fixes CVE-2008-1111 "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source code of CGI scripts instead of a 500 error, which might allow remote attackers to obtain sensitive information." Upstream Patch: http://trac.lighttpd.net/trac/changeset/2107 -- Stephan Hermann Wed, 05 Mar 2008 14:04:43 +0100 lighttpd (1.4.18-1ubuntu4) hardy; urgency=low * debian/patches/90_accept_ranges_fix.dpatch: - Fixes a problem serving PDF files or other files who are in need of no Accept-Ranges header (http://trac.lighttpd.net/trac/ticket/541) (Patch: http://trac.lighttpd.net/trac/changeset/2090) * debian/index.html: - replaced all occurances of debian with ubuntu (LP: #115565) -- Stephan Hermann Mon, 03 Mar 2008 17:38:33 +0100 lighttpd (1.4.18-1ubuntu3) hardy; urgency=low * debian/patches/90_maxfds_crash_fix.dpatch: - added patch from upstream to fix the maxfds issue - See: http://trac.lighttpd.net/trac/ticket/1562 -- Stephan Hermann Mon, 25 Feb 2008 11:51:57 +0100 lighttpd (1.4.18-1ubuntu2) hardy; urgency=low * Rebuild against libldap2.4-2 -- Emmet Hikory Thu, 24 Jan 2008 22:02:20 +0900 lighttpd (1.4.18-1ubuntu1) gutsy; urgency=low * Merge from Debian unstable, remaining changes: - Update maintainer field in debian/control. - Build against libgamin-dev rather than libfam-dev (fixes a warning during startup) - Make sure that upgrades succeed, even if we can't restart lighttpd. - Clean environment in init.d script. -- Soren Hansen Wed, 12 Sep 2007 14:02:31 +0200 lighttpd (1.4.18-1) unstable; urgency=low * New upstream release, fixes CVE-2007-4727 (closes: #441787) * lighttpd-angel is installed but not used yet -- Krzysztof Krzyzaniak (eloy) Tue, 11 Sep 2007 12:45:11 +0200 lighttpd (1.4.17-1ubuntu1) gutsy; urgency=low * Merge from Debian unstable, remaining changes: - Update maintainer field in debian/control. - Build against libgamin-dev rather than libfam-dev (fixes a warning during startup) - Make sure that upgrades succeed, even if we can't restart lighttpd. - Clean environment in init.d script. -- Soren Hansen Wed, 05 Sep 2007 09:30:15 +0200 lighttpd (1.4.17-1) unstable; urgency=low * New upstream release * patches/05_mysql_autoreconnect.dpatch - dropped, fixed in upstream -- Krzysztof Krzyzaniak (eloy) Tue, 04 Sep 2007 12:19:01 +0200 lighttpd (1.4.16-5~bpo40+2) etch-backports; urgency=low * Rebuild in an etch chroot *doh*. -- Pierre Habouzit Tue, 28 Aug 2007 11:37:38 +0200 lighttpd (1.4.16-5~bpo40+1) etch-backports; urgency=low * Rebuild for Etch backports. -- Pierre Habouzit Fri, 24 Aug 2007 10:12:10 +0200 lighttpd (1.4.16-5) unstable; urgency=low * debian/control: Drop conflict with gamin as it appears it was not the issue. (Closes: #438058). For real this time. -- Pierre Habouzit Sun, 19 Aug 2007 12:22:32 +0200 lighttpd (1.4.16-4) unstable; urgency=low * debian/control: Drop conflict with gamin as it appears it was not the issue. (Closes: #438058). * src/mod_mysql_vhost.c: Enable mysql auto-connect mode, as it's not default in mysql 5.x anymore. (Closes: #428677). -- Pierre Habouzit Sat, 18 Aug 2007 10:27:22 +0200 lighttpd (1.4.16-3) unstable; urgency=high * Urgency set to high due to RC bug fix. * debian/lighttpd.logrotate: fix stupid typo (closes: #437341). * debian/control: add Conflict against gamin, to avoid #437307. -- Pierre Habouzit Wed, 15 Aug 2007 09:46:48 +0200 lighttpd (1.4.16-2) unstable; urgency=low * patches/04_ldap_build_filter_fix.dpatch: add patch from Peter Colberg to fix first LDAP search that fails because of the filter being uninitialized. (closes: #419661) * Enable fam support (closes: #407820): + debian/rules: add --enable-fam configure flag. + debian/control: add libfam-dev to Build-Depends, and also wrap build-dependencies to make diff more understandable. * Enable support for kerberos (with openssl): + debian/rules; add --enable-kerberos5 configure flag. + debian/control: add libkrb5-dev to the Build-Depends. * lighttpd.logrotate: redirect stderr to /dev/null as well to prevent defunct processes (presumably due to full unread pipes/buffers) (closes: #419992). * debian/control: replace lighttpd dependency on perl with libterm-readline-perl-perl as Readline.pm is needed for lighty-enable-mod (closes: #435077). * debian/control: + Add myself to uploaders (closes: #401575). + Drop Recommands on php5-cgi, there is absolutely no reason to have it, or we would have to recommend ruby, python, lua, perl, .... and every $language on earth to be fair. (closes: #435587). * debian/conf-available/10-webdav.conf: add default configuration for webdav. (closes: #406641). * debian/conf-enabled: remove directory, it is already installed through lighttpd.dirs. * lighttpd.postinst, lighttpd.postrm, init.d: be sure there is a /var/run/lighttpd owned by www-data:www-data, helpful to store locks and things like that. -- Pierre Habouzit Fri, 03 Aug 2007 10:06:15 +0200 lighttpd (1.4.16-2ubuntu2) gutsy; urgency=low * Build against libgamin-dev rather than libfam-dev (fixes a warning during startup about mismatched sizes of a data type). -- Soren Hansen Thu, 23 Aug 2007 19:51:08 +0200 lighttpd (1.4.16-1ubuntu1) gutsy; urgency=low * Merge from Debian unstable, remaining changes: - Add fam/gamin stat cache engine support. - Replace Depends: on perl with Depends: on libterm-readline-perl-perl. - Make sure that upgrades succeed, even if we can't restart lighttpd. - Clean environment in init.d script. - Update maintainer field in debian/control. -- Michele Angrisano Sat, 28 Jul 2007 20:33:22 +0200 lighttpd (1.4.16-1) unstable; urgency=low * New upstream release (closes: #434546) * Acknowledge NMU by Pierre Habouzit for CVE-2007-2841 (closes: #428368) * Added static-file.exclude-extensions section to lighttpd.conf (closes: #408374) * Fixed description of conf-available/10-fastcgi.conf (closes: #430469) * Added mod_extforward to debian/lighttpd.install (closes: #434717) * config.guess taken from upstream (closes: #419664) * turn on compression (closes: #397514) * debian/control: XS-Vcs-Svn header added -- Krzysztof Krzyzaniak (eloy) Fri, 27 Jul 2007 10:32:51 +0200 lighttpd (1.4.15-1.1ubuntu1) gutsy; urgency=low * Merge from Debian unstable, remaining changes: - Add fam/gamin stat cache engine support. - Replace Depends: on perl with Depends: on libterm-readline-perl-perl. - Make sure that upgrades succeed, even if we can't restart lighttpd. - Clean environment in init.d script. - Update maintainer field in debian/control. -- Michele Angrisano Sat, 21 Jul 2007 01:40:36 +0200 lighttpd (1.4.15-1.1) unstable; urgency=low * Non-maintainer upload. * add patches/04_wrapping_headers_bugfix.dpatch to fix crash with wrapping headers (Closes: 428368). -- Pierre Habouzit Fri, 20 Jul 2007 11:04:07 +0200 lighttpd (1.4.15-1ubuntu1) gutsy; urgency=low * Merge from Debian unstable. Remaining Ubuntu changes: - Add fam/gamin stat cache engine support - Clean environment in init.d script - Replace Depends: on perl with Depends: on libterm-readline-perl-perl - Make sure that upgrades succeed, even if we can't restart lighttpd - DebianMaintainerField update -- Soren Hansen Tue, 1 May 2007 13:15:59 +0200 lighttpd (1.4.15-1) unstable; urgency=low * New upstream release (closes: #419131) * 01_mod_fastcgi_missing_cleanup.dpatch is now in upstream so it's removed from patches * 04_pidfile_bugfix.dpatch is now in upstream so it's removed from patches -- Krzysztof Krzyzaniak (eloy) Fri, 06 Apr 2007 11:24:54 +0200 lighttpd (1.4.13-10) unstable; urgency=medium * 03_ldap_leak_bugfix.dpatch added from yann@pleiades.fr.eu.org (Yann Rouillard) (closes: #413917) * Lowered priority of index.lighttpd.html (closes: #397492) * We don't need now check md5 sum of index.html since we provide our own index.lighttpd.html (closes: #407794) * 04_pidfile_bugfix.dpatch by Chris Webb added - some fixes with graceful restart -- Krzysztof Krzyzaniak (eloy) Thu, 8 Mar 2007 22:18:42 +0100 lighttpd (1.4.13-9ubuntu4) feisty; urgency=low * Added LDAP connection leak fix from Debian (Bug: #413917) - debian/patches/03_ldap_leak_bugfix.dpatch * Added security fixes from 1.4.14 (Closes LP: #106416) - Remote DOS in CRLF parsing (CVE-2007-1869) debian/patches/04_security_crlf_parsing_dos.dpatch - DOS with files with mtime 0 (CVE-2007-1870) debian/patches/05_security_zero_mtime_crash.dpatch -- Lukas Fittl Sat, 14 Apr 2007 05:26:10 +0200 lighttpd (1.4.13-9ubuntu3) feisty; urgency=low * Make sure that upgrades succeed, even if we can't restart lighttpd (LP: #86882) -- Soren Hansen Thu, 29 Mar 2007 01:10:06 +0200 lighttpd (1.4.13-9ubuntu2) feisty; urgency=low * Add fam/gamin stat cache engine support (Closes: LP#80818) -- Soren Hansen Mon, 19 Feb 2007 13:09:19 +0100 lighttpd (1.4.13-9ubuntu1) feisty; urgency=low * Merge from Debian unstable. Remaining Ubuntu changes: - Clean environment in init.d script - Replace Depends: on perl with Depends: on libterm-readline-perl-perl -- Adrien Cunin Sat, 13 Jan 2007 21:38:05 +0100 lighttpd (1.4.13-9) unstable; urgency=low * debian/lighttpd.default - removed, it is not ready yet. We'll back after etch release (closes: #406021) * debian/index.html.md5 - fixed path to file (full path to index.html) -- Krzysztof Krzyzaniak (eloy) Tue, 2 Jan 2007 14:24:42 +0100 lighttpd (1.4.13-8) unstable; urgency=medium * Typo fixed in debian/lighttpd.postinst (closes: #405123) -- Krzysztof Krzyzaniak (eloy) Tue, 2 Jan 2007 13:23:25 +0100 lighttpd (1.4.13-7ubuntu1) feisty; urgency=low * Merge from debian unstable, remaining changes: - Clean environment in init.d script - Replace Depends: on perl with Depends: on libterm-readline-perl-perl -- Soren Hansen Sat, 30 Dec 2006 16:22:11 +0100 lighttpd (1.4.13-7) unstable; urgency=low [ Franz Pletz ] * debian/conf-available/10-cgi.conf: + match /cgi-bin/ only at the beginning of a path + convert match for host == localhost to remoteip == 127.0.0.1 like in lighttpd.conf; due to bugs in mod_alias, the cgi-bin, doc and images aliases didn't work anymore * debian/lighttpd.logrotate + use reload instead of force-reload for graceful restart (closes: #398169, #380080) * added debian/patches/01_mod_fastcgi_missing_cleanup.dpatch + source: http://trac.lighttpd.net/trac/ticket/910 + fixes memleak in mod_fastcgi (closes: #400167) * added debian/patches/02_fastcgi_detach.dpatch + disconnect stderr/stdout from the terminal (closes: #368670) + point them either to errorlog or /dev/null * debian/control: added myself to Uploaders * Don't touch /var/www/index.html, create /var/www/index.lighttpd.html instead (closes: #397492) + debian/lighttpd.postinst: copy to /var/www/index.lighttpd.html + debian/lighttpd.conf: add index.lighttpd.html as first index-filename [ Krzysztof Krzyzaniak (eloy) ] * Typo fixed in index.html (closes: #403620) -- Franz Pletz Fri, 8 Dec 2006 16:15:27 +0100 lighttpd (1.4.13-6ubuntu3) feisty; urgency=low * Fix typo in init-script -- Soren Hansen Wed, 13 Dec 2006 11:52:54 +0100 lighttpd (1.4.13-6ubuntu2) feisty; urgency=low * Clean the environment before starting. Fixes: LP#53840 -- Soren Hansen Sun, 10 Dec 2006 16:18:55 +0100 lighttpd (1.4.13-6ubuntu1) feisty; urgency=low * Merge from debian unstable, remaining changes: - Replace Depends: on perl with Depends: on libterm-readline-perl-perl -- Soren Hansen Fri, 8 Dec 2006 14:40:42 +0100 lighttpd (1.4.13-6) unstable; urgency=low * debian/lighttpd.postinst: change only permission for /var/log/lighttpd/ -- Krzysztof Krzyzaniak (eloy) Mon, 4 Dec 2006 16:34:11 +0100 lighttpd (1.4.13-5) unstable; urgency=low * debian/control: + perl added to dependencies (closes: #396629) * debian/conf-available/10-fastcgi.conf: + /usr/bin/php4-cgi changed to /usr/bin/php-cgi (closes: #397142) * debian/lighttpd.postinst: fix permission of /var/log/lighttpd (closes: #398834) * debian/lighty-enable-mod - fixed bug with undefined values (closes: #397493) -- Krzysztof Krzyzaniak (eloy) Thu, 9 Nov 2006 12:18:25 +0100 lighttpd (1.4.13-4) unstable; urgency=low * fixed config file for logrotote (reload action changed to force-reload) -- Krzysztof Krzyzaniak (eloy) Thu, 26 Oct 2006 11:36:13 +0200 lighttpd (1.4.13-3) unstable; urgency=low * debian/control: libxml2-dev added to Build-Depends (closes: #394882) -- Krzysztof Krzyzaniak (eloy) Tue, 24 Oct 2006 13:31:27 +0200 lighttpd (1.4.13-2) unstable; urgency=medium * Patch from Pierre Habouzit to init.d applied (closes: #380080) * Patch from Adrian Friendli to lighttpd.conf applied (closes: #392890) -- Krzysztof Krzyzaniak (eloy) Mon, 16 Oct 2006 11:14:28 +0200 lighttpd (1.4.13-1) unstable; urgency=low * New upstream release * mod_webdav as separate lighttpd-mod-webdav package * Compiled with --with-webdav-locks, added uuid-dev to Build-Depends -- Krzysztof Krzyzaniak (eloy) Tue, 10 Oct 2006 10:26:54 +0200 lighttpd (1.4.13~r1385-1) unstable; urgency=low * New upstream release -- Krzysztof Krzyzaniak (eloy) Mon, 9 Oct 2006 10:28:32 +0200 lighttpd (1.4.13~r1370-1ubuntu1) edgy; urgency=low * Merge from Debian unstable (Closes: Malone #64900). Remaining changes: - Add an additional dependency on libterm-readline-perl-perl (Malone #43895) -- Lukas Fittl Tue, 10 Oct 2006 13:57:38 +0200 lighttpd (1.4.13~r1370-1) unstable; urgency=low * New upstream release (closes: #390877) (closes: #389911) * Compiled with --with-attr param (closes: #389712) * dropped 01-lua5.1.dpatch, issue fixed by upstream -- Krzysztof Krzyzaniak (eloy) Thu, 5 Oct 2006 10:08:19 +0200 lighttpd (1.4.12-1) unstable; urgency=low * New upstream release * fixes in debian/lighttpd.install (closes: #377802) * mod_cml is deprecated from now on and it will be removed in 1.5.0 mod_magnet provides the same functionality and more with a cleaner syntax and in a more generic form * added separate module for mod_magnet (closes: #389578) * changed dependency from lua-5.0 to lua-5.1 * added patch patches/01-lua5.1.dpatch * added pkg-config to Build-Depends -- Krzysztof Krzyzaniak (eloy) Tue, 12 Sep 2006 19:17:41 +0200 lighttpd (1.4.12~20060907-1ubuntu1) edgy; urgency=low * Merge from debian unstable: -> Keep the additional dependency on libterm-readline-perl-perl. -- Jeremie Corbier Fri, 22 Sep 2006 19:16:08 -0700 lighttpd (1.4.12~20060907-1) unstable; urgency=low * New upstream release * Removed debian/patches/01_use_bin_sh.dpatch - fixed in upstream -- Krzysztof Krzyzaniak (eloy) Thu, 7 Sep 2006 14:50:47 +0200 lighttpd (1.4.12~20060901-1) unstable; urgency=low * New upstream release * Removed debian/patches/02_ssl_fix.dpatch - it's now fixed in upstream -- Krzysztof Krzyzaniak (eloy) Mon, 4 Sep 2006 11:07:42 +0200 lighttpd (1.4.11-8) UNRELEASED; urgency=low * debian/lighttpd.dirs: + usr/lib/cgi-bin added * debian/conf-available/10-cgi.conf + proper configuration for localhost as well (again Bug#345554) * debian/lighttpd.conf: + server.bind commented out as in default configuration (closes: #380267) * debian/patches/02_ssl_fix.dpatch - added fix for ssl connection with POST request (http://trac.lighttpd.net/trac/ticket/607), thanks to RISKO Gergely (closes: #381455) * debian/lighttpd.logrotate - some values changes (now rotate weekly and keep 12 logfiles) -- Krzysztof Krzyzaniak (eloy) Mon, 28 Aug 2006 13:06:25 +0200 lighttpd (1.4.11-7ubuntu1) edgy; urgency=low * Merge from debian unstable: -> Restore B-D on libmemcache-dev. -> Keep the additional dependency on libterm-readline-perl-perl. * debian/patches: -> Add 02_mod_ssl_post_fix.dpatch: fix a stall with POST requests between 8317 and 16381 bytes long when mod_ssl is enabled. -- Jeremie Corbier Thu, 17 Aug 2006 13:07:50 +0200 lighttpd (1.4.11-7) unstable; urgency=low * debian/create-mime.assign.pl - catchup error when /etc/mime.types is not readable (closes: #375347) -- Krzysztof Krzyzaniak (eloy) Tue, 27 Jun 2006 20:19:57 +0200 lighttpd (1.4.11-6) unstable; urgency=low * debian/control: - Recommends: Changed to alternative: php4-cgi | php5-cgi (closes: #368215) * include-conf-enabled.pl script changed according to patch from Tobias Gruetzmacher (closes: #368352) * debian/lighttpd.conf: removed global for local aliases (/images/, /doc/) (closes: #366801) -- Krzysztof Krzyzaniak (eloy) Tue, 23 May 2006 16:48:36 +0200 lighttpd (1.4.11-5) unstable; urgency=low * debian/init.d: - --oknodo added to section "stop" to close finally #35979 - --retry 30 added to section "reload", to prevents problems with logrotating (closes: #366366) * debian/control: Standards-Version: increased to 3.7.2 without additional changes -- Krzysztof Krzyzaniak (eloy) Wed, 10 May 2006 14:26:04 +0200 lighttpd (1.4.11-4) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/init.d: - "exit 1" after failed actions removed (closes: #359792) * debian/conf-available/10-fastcgi.conf updated (closes: #362827) thanks to Joerg Rieger [ Torsten Marek ] * Change my email address to shlomme@debian.org * Remove --background from the start action, since it breaks the error checking of start-stop-daemon. The behaviour described in #355865 is not reproducable any more. * make reload action in initscript more well-behaved -- Torsten Marek Sun, 9 Apr 2006 15:51:51 +0200 lighttpd (1.4.11-3ubuntu3) dapper; urgency=low * debian/control + Added depends on libterm-readline-perl-perl. (Closes: Malone #43895) -- Chuck Short Wed, 10 May 2006 18:11:24 -0400 lighttpd (1.4.11-3ubuntu2) dapper; urgency=low * Rebuild against the new libmysqlclient15off with correct symbols. -- Adam Conrad Thu, 6 Apr 2006 15:10:02 +1000 lighttpd (1.4.11-3ubuntu1) dapper; urgency=low * Sync with Debian: + Removed B-D on libmemcache-dev as we don't have it in dapper, needs to be re-enabled for dapper+1 -- Sebastian Dröge Mon, 27 Mar 2006 13:52:44 +0200 lighttpd (1.4.11-3) unstable; urgency=low * debian/lighttpd.conf - added dir-listing.encoding = "utf-8", suggested by Silvestre Zabala (closes: #359100) * debian/lighttpd.install - fix bug with installing *.conf files -- Krzysztof Krzyzaniak (eloy) Mon, 27 Mar 2006 09:50:55 +0200 lighttpd (1.4.11-2) unstable; urgency=low * Provide debian/conf-available/10-ssl.conf, (closes: #355868) -- Krzysztof Krzyzaniak (eloy) Fri, 24 Mar 2006 13:53:54 +0100 lighttpd (1.4.11-1) unstable; urgency=low * New upstream release (closes: #356496) * init.d script - added --background to "start" (thanks goes to Marcello Nuccio ) (closes: #355865) -- Krzysztof Krzyzaniak (eloy) Fri, 10 Mar 2006 09:51:10 +0100 lighttpd (1.4.10-6) unstable; urgency=low * Patch from on lighty-enable-mod (closes: #355773) -- Krzysztof Krzyzaniak (eloy) Wed, 8 Mar 2006 11:17:07 +0100 lighttpd (1.4.10-5) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/control - libmysqlclient14-dev have to be removede because is not available in debian/sid [ Torsten Marek ] * debian/rules - build with support for LUA, libmemcache and GDBM * debian/lighttpd.install - install mod_evasive into lighttpd package * debian/control - own packages for mod_trigger_b4_dl and mod_cml * debian/control - small fixes * debian/conf-available/10-ssi.conf - comment out link to web documentation -- Torsten Marek Mon, 6 Mar 2006 12:07:29 +0100 lighttpd (1.4.10-4) unstable; urgency=low * bugfix release * Fixed bug with 10-fastcgi.conf, (closes: #353964) -- Krzysztof Krzyzaniak (eloy) Thu, 23 Feb 2006 16:14:42 +0100 lighttpd (1.4.10-3) unstable; urgency=low * lighttpd.conf - changed configuration for /images/ & /doc/ handling -- Krzysztof Krzyzaniak (eloy) Tue, 14 Feb 2006 09:57:15 +0100 lighttpd (1.4.10-2) unstable; urgency=low * debian/control - libmysqlclient14-dev added as alternative (will be easier for backports.org) * lighty-enable-mod script fixed - files with dash were skipped, thanks to Silvester Zabala for patch (closes: #352577) * install doc/lighttpd.conf as example (closes: #344961) -- Krzysztof Krzyzaniak (eloy) Mon, 13 Feb 2006 12:58:54 +0100 lighttpd (1.4.10-1) unstable; urgency=low * New upstream release -- Krzysztof Krzyzaniak (eloy) Wed, 8 Feb 2006 16:02:16 +0100 lighttpd (1.4.9-5) unstable; urgency=low * Properly fixed bug with overwritting index.html (closes: #349676) -- Krzysztof Krzyzaniak (eloy) Mon, 30 Jan 2006 10:17:57 +0100 lighttpd (1.4.9-4) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * Fixed bug with 10-userdir.conf, (closes: #349821) * index.html is not replaced when md5 string desn't match (closes: #349676) -- Krzysztof Krzyzaniak (eloy) Wed, 25 Jan 2006 16:33:34 +0100 lighttpd (1.4.9-3) unstable; urgency=low [ Torsten Marek ] * Added some configuration examples from upstream sample configuration * Implement "reload" init.d action with graceful restart, taken from http://trac.lighttpd.net/trac/ticket/267 (Closes: #346038) * ssi, auth, fastcgi, proxy and simple-vhost are now in separte config files * Put path to plugin documentation into every config snippet * Build against libmysqlclient15 -- Torsten Marek Sat, 21 Jan 2006 15:16:01 +0100 lighttpd (1.4.9-2) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * mod_alias enabled by default - removed conf-avaiable/00-alias.conf * Added handling of http://localhost/doc/ & http://localhost/images/ (closes: #348823) -- Krzysztof Krzyzaniak (eloy) Thu, 19 Jan 2006 12:39:04 +0100 lighttpd (1.4.9-1) unstable; urgency=low * New upstream release * Closing bug from not uploaded release 1.4.8-5, (closes: #347737) -- Krzysztof Krzyzaniak (eloy) Mon, 16 Jan 2006 20:06:39 +0100 lighttpd (1.4.8-5) unstable; urgency=low * create /var/www directory (closes: #347737), default /var/www/index.html added (based on apache2 index.html file). -- Krzysztof Krzyzaniak (eloy) Thu, 12 Jan 2006 16:54:32 +0100 lighttpd (1.4.8-4) unstable; urgency=low * fixed permissions and directories (closes: #347565) -- Krzysztof Krzyzaniak (eloy) Wed, 11 Jan 2006 17:15:12 +0100 lighttpd (1.4.8-3) unstable; urgency=low * New configuration layout (closes: #345554) (closes: #344959), read /etc/lighttpd/conf-available/README - conf-available directory for all templates - conf-enabled directory for enabled modules -- Krzysztof Krzyzaniak (eloy) Mon, 9 Jan 2006 13:49:34 +0100 lighttpd (1.4.8-2) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/control: lsb-base dependency narrowed to (>= 3.0-3) * create-mime.assign.pl set as executable (closes: #344938) -- Krzysztof Krzyzaniak (eloy) Wed, 28 Dec 2005 12:40:55 +0100 lighttpd (1.4.8-1) unstable; urgency=low * New upstream version (closes: #304271) * Does not rely on $SHELL to execute external commands -- Torsten Marek Sat, 26 Nov 2005 11:48:51 +0100 lighttpd (1.4.7-1) unstable; urgency=low * New upstream version, Initial debian version * Better debian/rules file * Split mysql vhost module into separate package * Create separate package for documentation * Create a better init script -- Torsten Marek Sat, 5 Nov 2005 18:56:53 +0100 debian/watch0000664000000000000000000000013012271762011010212 0ustar version=3 http://download.lighttpd.net/lighttpd/releases-1.4.x/ lighttpd-(.*)\.tar\.gz debian/lighttpd-dev.install0000664000000000000000000000013412271762011013150 0ustar config.h /usr/include/lighttpd src/*.h /usr/include/lighttpd lighttpd.pc /usr/lib/pkgconfig debian/include-conf-enabled.pl0000775000000000000000000000036112271762011013465 0ustar #!/usr/bin/perl -wl use strict; use File::Glob ':glob'; my $confdir = shift || "/etc/lighttpd/"; my $enabled = "conf-enabled/*.conf"; chdir($confdir); my @files = bsd_glob($enabled); for my $file (@files) { print "include \"$file\""; } debian/copyright0000664000000000000000000001044212271762011011123 0ustar This package was debianized by Vincent Wagelaar on Wed, 24 Mar 2004 08:20:58 +0100. It was downloaded from http://www.incremental.de/products/lighttpd/download/ Upstream Author: Jan Kneschke Copyright: Copyright (c) 2004, Jan Kneschke, incremental All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - Neither the name of the 'incremental' nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. src/fastcgi.h Copyright (c) 1995-1996 Open Market, Inc This FastCGI application library source and object code (the "Software") and its documentation (the "Documentation") are copyrighted by Open Market, Inc ("Open Market"). The following terms apply to all files associated with the Software and Documentation unless explicitly disclaimed in individual files. Open Market permits you to use, copy, modify, distribute, and license this Software and the Documentation for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this Software and Documentation may be copyrighted by their authors and need not follow the licensing terms described here. If modifications to this Software and Documentation have new licensing terms, the new terms must be clearly indicated on the first page of each file where they apply. OPEN MARKET MAKES NO EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE SOFTWARE OR THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL OPEN MARKET BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DAMAGES ARISING FROM OR RELATING TO THIS SOFTWARE OR THE DOCUMENTATION, INCLUDING, WITHOUT LIMITATION, ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES OR SIMILAR DAMAGES, INCLUDING LOST PROFITS OR LOST DATA, EVEN IF OPEN MARKET HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED "AS IS". OPEN MARKET HAS NO LIABILITY IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE ARISING OUT OF THIS SOFTWARE OR THE DOCUMENTATION. src/md5.h, src/md5.c Copyright (c) 1991-2, RSA Data Security , Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. debian/lighttpd.docs0000664000000000000000000000001412271762011011653 0ustar NEWS README debian/lighttpd.ufw.profile0000664000000000000000000000057712271762011013201 0ustar [Lighttpd HTTP] title=Web Server (lighttpd, HTTP) description=A fast webserver with minimal memory footprint ports=80/tcp [Lighttpd HTTPS] title=Web Server (lighttpd, HTTPS) description=A fast webserver with minimal memory footprint ports=443/tcp [Lighttpd Full] title=Web Server (lighttpd, HTTP + HTTPS) description=A fast webserver with minimal memory footprint ports=80,443/tcp