lighttpd (1.4.13-4etch10) stable-security; urgency=low [ Pierre Habouzit ] * Non-maintainer upload. * Fix [CVE-2008-1531] patches mess, and add a missing hunk of the patch. -- Thijs Kinkhorst Tue, 22 Jul 2008 12:19:10 +0200 lighttpd (1.4.13-4etch9) stable-security; urgency=high * Non-maintainer upload by the security team * Fix DoS caused by a large number of connections, because the calculation of the size of a file descriptor array was not done properly Fixes: CVE-2008-0983 * Fix DoS caused by a large number of connections via exceeding the configured maximum Fixes: CVE-2007-3948 -- Steffen Joeris Fri, 11 Jul 2008 17:01:43 +0000 lighttpd (1.4.13-4etch8) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Updated the patch for the previous "Avoid closing foreign SSL connections" issue. [CVE-2008-1531] -- Steve Kemp Thu, 15 Apr 2008 09:22:09 +0000 lighttpd (1.4.13-4etch7) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Avoid closing foreign SSL connections. [CVE-2008-1531] -- Steve Kemp Tue, 2 Apr 2008 19:00:00 +0000 lighttpd (1.4.13-4etch6) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Warn about insecure (non-standard) configurations which could result in arbitary file reading, via mod_userdir. [CVE-2008-1270] -- Steve Kemp Tue, 11 Mar 2008 20:22:24 +0000 lighttpd (1.4.13-4etch5) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Avoid leaking the source code of CGI scripts if they fail to be executed via a fork() call which fails. [CVE-2008-1111] -- Steve Kemp Mon, 3 Mar 2008 21:22:12 +0000 lighttpd (1.4.13-4etch4) stable-security; urgency=high * Non-maintainer upload by The Security Team. * This update correctly patches a potential header overflow which was claimed to have been fixed in 1.4.13-4etch3/DSA-1362-1. [CVE-2007-4727]. -- Steve Kemp Fri, 21 Aug 2007 16:02:12 +0000 lighttpd (1.4.13-4etch3) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Fixed denial of service and possible authentication bypass in mod_auth. [CVE-2007-3946] * Fix a denial of service against mod_fastcgi applications. -- Steve Kemp Wed, 8 Aug 2007 17:45:19 +0000 lighttpd (1.4.13-4etch2) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Fix a remote denial of service when parsing malformed HTTP headers. [CVE-2007-2847] -- Steve Kemp Fri, 20 Jul 2007 21:32:01 +0000 lighttpd (1.4.13-4etch1) stable-security; urgency=low * Non-maintainer upload by The Security Team. * Avoid local users from creating a DOS by creating files with a bogus mtime. [CVE-2007-1870] * Avoid a potential DOS when parsing malformed CRLF sequences [CVE-2007-1869] -- Steve Kemp Fri, 1 Jun 2007 19:05:27 +0000 lighttpd (1.4.13-4) unstable; urgency=low * fixed config file for logrotote (reload action changed to force-reload) -- Krzysztof Krzyzaniak (eloy) Thu, 26 Oct 2006 11:36:13 +0200 lighttpd (1.4.13-3) unstable; urgency=low * debian/control: libxml2-dev added to Build-Depends (closes: #394882) -- Krzysztof Krzyzaniak (eloy) Tue, 24 Oct 2006 13:31:27 +0200 lighttpd (1.4.13-2) unstable; urgency=medium * Patch from Pierre Habouzit to init.d applied (closes: #380080) * Patch from Adrian Friendli to lighttpd.conf applied (closes: #392890) -- Krzysztof Krzyzaniak (eloy) Mon, 16 Oct 2006 11:14:28 +0200 lighttpd (1.4.13-1) unstable; urgency=low * New upstream release * mod_webdav as separate lighttpd-mod-webdav package * Compiled with --with-webdav-locks, added uuid-dev to Build-Depends -- Krzysztof Krzyzaniak (eloy) Tue, 10 Oct 2006 10:26:54 +0200 lighttpd (1.4.13~r1385-1) unstable; urgency=low * New upstream release -- Krzysztof Krzyzaniak (eloy) Mon, 9 Oct 2006 10:28:32 +0200 lighttpd (1.4.13~r1370-1) unstable; urgency=low * New upstream release (closes: #390877) (closes: #389911) * Compiled with --with-attr param (closes: #389712) * dropped 01-lua5.1.dpatch, issue fixed by upstream -- Krzysztof Krzyzaniak (eloy) Thu, 5 Oct 2006 10:08:19 +0200 lighttpd (1.4.12-1) unstable; urgency=low * New upstream release * fixes in debian/lighttpd.install (closes: #377802) * mod_cml is deprecated from now on and it will be removed in 1.5.0 mod_magnet provides the same functionality and more with a cleaner syntax and in a more generic form * added separate module for mod_magnet (closes: #389578) * changed dependency from lua-5.0 to lua-5.1 * added patch patches/01-lua5.1.dpatch * added pkg-config to Build-Depends -- Krzysztof Krzyzaniak (eloy) Tue, 12 Sep 2006 19:17:41 +0200 lighttpd (1.4.12~20060907-1) unstable; urgency=low * New upstream release * Removed debian/patches/01_use_bin_sh.dpatch - fixed in upstream -- Krzysztof Krzyzaniak (eloy) Thu, 7 Sep 2006 14:50:47 +0200 lighttpd (1.4.12~20060901-1) unstable; urgency=low * New upstream release * Removed debian/patches/02_ssl_fix.dpatch - it's now fixed in upstream -- Krzysztof Krzyzaniak (eloy) Mon, 4 Sep 2006 11:07:42 +0200 lighttpd (1.4.11-8) UNRELEASED; urgency=low * debian/lighttpd.dirs: + usr/lib/cgi-bin added * debian/conf-available/10-cgi.conf + proper configuration for localhost as well (again Bug#345554) * debian/lighttpd.conf: + server.bind commented out as in default configuration (closes: #380267) * debian/patches/02_ssl_fix.dpatch - added fix for ssl connection with POST request (http://trac.lighttpd.net/trac/ticket/607), thanks to RISKO Gergely (closes: #381455) * debian/lighttpd.logrotate - some values changes (now rotate weekly and keep 12 logfiles) -- Krzysztof Krzyzaniak (eloy) Mon, 28 Aug 2006 13:06:25 +0200 lighttpd (1.4.11-7) unstable; urgency=low * debian/create-mime.assign.pl - catchup error when /etc/mime.types is not readable (closes: #375347) -- Krzysztof Krzyzaniak (eloy) Tue, 27 Jun 2006 20:19:57 +0200 lighttpd (1.4.11-6) unstable; urgency=low * debian/control: - Recommends: Changed to alternative: php4-cgi | php5-cgi (closes: #368215) * include-conf-enabled.pl script changed according to patch from Tobias Gruetzmacher (closes: #368352) * debian/lighttpd.conf: removed global for local aliases (/images/, /doc/) (closes: #366801) -- Krzysztof Krzyzaniak (eloy) Tue, 23 May 2006 16:48:36 +0200 lighttpd (1.4.11-5) unstable; urgency=low * debian/init.d: - --oknodo added to section "stop" to close finally #35979 - --retry 30 added to section "reload", to prevents problems with logrotating (closes: #366366) * debian/control: Standards-Version: increased to 3.7.2 without additional changes -- Krzysztof Krzyzaniak (eloy) Wed, 10 May 2006 14:26:04 +0200 lighttpd (1.4.11-4) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/init.d: - "exit 1" after failed actions removed (closes: #359792) * debian/conf-available/10-fastcgi.conf updated (closes: #362827) thanks to Joerg Rieger [ Torsten Marek ] * Change my email address to shlomme@debian.org * Remove --background from the start action, since it breaks the error checking of start-stop-daemon. The behaviour described in #355865 is not reproducable any more. * make reload action in initscript more well-behaved -- Torsten Marek Sun, 9 Apr 2006 15:51:51 +0200 lighttpd (1.4.11-3) unstable; urgency=low * debian/lighttpd.conf - added dir-listing.encoding = "utf-8", suggested by Silvestre Zabala (closes: #359100) * debian/lighttpd.install - fix bug with installing *.conf files -- Krzysztof Krzyzaniak (eloy) Mon, 27 Mar 2006 09:50:55 +0200 lighttpd (1.4.11-2) unstable; urgency=low * Provide debian/conf-available/10-ssl.conf, (closes: #355868) -- Krzysztof Krzyzaniak (eloy) Fri, 24 Mar 2006 13:53:54 +0100 lighttpd (1.4.11-1) unstable; urgency=low * New upstream release (closes: #356496) * init.d script - added --background to "start" (thanks goes to Marcello Nuccio ) (closes: #355865) -- Krzysztof Krzyzaniak (eloy) Fri, 10 Mar 2006 09:51:10 +0100 lighttpd (1.4.10-6) unstable; urgency=low * Patch from on lighty-enable-mod (closes: #355773) -- Krzysztof Krzyzaniak (eloy) Wed, 8 Mar 2006 11:17:07 +0100 lighttpd (1.4.10-5) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/control - libmysqlclient14-dev have to be removede because is not available in debian/sid [ Torsten Marek ] * debian/rules - build with support for LUA, libmemcache and GDBM * debian/lighttpd.install - install mod_evasive into lighttpd package * debian/control - own packages for mod_trigger_b4_dl and mod_cml * debian/control - small fixes * debian/conf-available/10-ssi.conf - comment out link to web documentation -- Torsten Marek Mon, 6 Mar 2006 12:07:29 +0100 lighttpd (1.4.10-4) unstable; urgency=low * bugfix release * Fixed bug with 10-fastcgi.conf, (closes: #353964) -- Krzysztof Krzyzaniak (eloy) Thu, 23 Feb 2006 16:14:42 +0100 lighttpd (1.4.10-3) unstable; urgency=low * lighttpd.conf - changed configuration for /images/ & /doc/ handling -- Krzysztof Krzyzaniak (eloy) Tue, 14 Feb 2006 09:57:15 +0100 lighttpd (1.4.10-2) unstable; urgency=low * debian/control - libmysqlclient14-dev added as alternative (will be easier for backports.org) * lighty-enable-mod script fixed - files with dash were skipped, thanks to Silvester Zabala for patch (closes: #352577) * install doc/lighttpd.conf as example (closes: #344961) -- Krzysztof Krzyzaniak (eloy) Mon, 13 Feb 2006 12:58:54 +0100 lighttpd (1.4.10-1) unstable; urgency=low * New upstream release -- Krzysztof Krzyzaniak (eloy) Wed, 8 Feb 2006 16:02:16 +0100 lighttpd (1.4.9-5) unstable; urgency=low * Properly fixed bug with overwritting index.html (closes: #349676) -- Krzysztof Krzyzaniak (eloy) Mon, 30 Jan 2006 10:17:57 +0100 lighttpd (1.4.9-4) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * Fixed bug with 10-userdir.conf, (closes: #349821) * index.html is not replaced when md5 string desn't match (closes: #349676) -- Krzysztof Krzyzaniak (eloy) Wed, 25 Jan 2006 16:33:34 +0100 lighttpd (1.4.9-3) unstable; urgency=low [ Torsten Marek ] * Added some configuration examples from upstream sample configuration * Implement "reload" init.d action with graceful restart, taken from http://trac.lighttpd.net/trac/ticket/267 (Closes: #346038) * ssi, auth, fastcgi, proxy and simple-vhost are now in separte config files * Put path to plugin documentation into every config snippet * Build against libmysqlclient15 -- Torsten Marek Sat, 21 Jan 2006 15:16:01 +0100 lighttpd (1.4.9-2) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * mod_alias enabled by default - removed conf-avaiable/00-alias.conf * Added handling of http://localhost/doc/ & http://localhost/images/ (closes: #348823) -- Krzysztof Krzyzaniak (eloy) Thu, 19 Jan 2006 12:39:04 +0100 lighttpd (1.4.9-1) unstable; urgency=low * New upstream release * Closing bug from not uploaded release 1.4.8-5, (closes: #347737) -- Krzysztof Krzyzaniak (eloy) Mon, 16 Jan 2006 20:06:39 +0100 lighttpd (1.4.8-5) unstable; urgency=low * create /var/www directory (closes: #347737), default /var/www/index.html added (based on apache2 index.html file). -- Krzysztof Krzyzaniak (eloy) Thu, 12 Jan 2006 16:54:32 +0100 lighttpd (1.4.8-4) unstable; urgency=low * fixed permissions and directories (closes: #347565) -- Krzysztof Krzyzaniak (eloy) Wed, 11 Jan 2006 17:15:12 +0100 lighttpd (1.4.8-3) unstable; urgency=low * New configuration layout (closes: #345554) (closes: #344959), read /etc/lighttpd/conf-available/README - conf-available directory for all templates - conf-enabled directory for enabled modules -- Krzysztof Krzyzaniak (eloy) Mon, 9 Jan 2006 13:49:34 +0100 lighttpd (1.4.8-2) unstable; urgency=low [ Krzysztof Krzyzaniak (eloy) ] * debian/control: lsb-base dependency narrowed to (>= 3.0-3) * create-mime.assign.pl set as executable (closes: #344938) -- Krzysztof Krzyzaniak (eloy) Wed, 28 Dec 2005 12:40:55 +0100 lighttpd (1.4.8-1) unstable; urgency=low * New upstream version (closes: #304271) * Does not rely on $SHELL to execute external commands -- Torsten Marek Sat, 26 Nov 2005 11:48:51 +0100 lighttpd (1.4.7-1) unstable; urgency=low * New upstream version, Initial debian version * Better debian/rules file * Split mysql vhost module into separate package * Create separate package for documentation * Create a better init script -- Torsten Marek Sat, 5 Nov 2005 18:56:53 +0100