[pkg-lighttpd] r317 - in lighttpd/trunk/debian: . patches
madcoder at alioth.debian.org
madcoder at alioth.debian.org
Sun Apr 13 10:19:15 UTC 2008
Author: madcoder
Date: 2008-04-13 10:19:15 +0000 (Sun, 13 Apr 2008)
New Revision: 317
Added:
lighttpd/trunk/debian/patches/ssl-connection-errors.patch
Modified:
lighttpd/trunk/debian/changelog
lighttpd/trunk/debian/patches/series
Log:
Add patches/ssl-connection-errors.patch for CVE-2008-1531
Modified: lighttpd/trunk/debian/changelog
===================================================================
--- lighttpd/trunk/debian/changelog 2008-04-13 10:15:51 UTC (rev 316)
+++ lighttpd/trunk/debian/changelog 2008-04-13 10:19:15 UTC (rev 317)
@@ -1,3 +1,10 @@
+lighttpd (1.4.19-2) UNRELEASED; urgency=low
+
+ * Add patches/ssl-connection-errors.patch for CVE-2008-1531
+ (Closes: 475438).
+
+ -- Pierre Habouzit <madcoder at debian.org> Thu, 20 Mar 2008 00:53:45 +0100
+
lighttpd (1.4.19-1~bpo40+1) etch-backports; urgency=low
* Rebuild for etch-backports.
Modified: lighttpd/trunk/debian/patches/series
===================================================================
--- lighttpd/trunk/debian/patches/series 2008-04-13 10:15:51 UTC (rev 316)
+++ lighttpd/trunk/debian/patches/series 2008-04-13 10:19:15 UTC (rev 317)
@@ -2,3 +2,4 @@
ldap_leak_bugfix.patch
ldap_build_filter_fix.patch
ldap-deprecated.patch
+ssl-connection-errors.patch
Added: lighttpd/trunk/debian/patches/ssl-connection-errors.patch
===================================================================
--- lighttpd/trunk/debian/patches/ssl-connection-errors.patch (rev 0)
+++ lighttpd/trunk/debian/patches/ssl-connection-errors.patch 2008-04-13 10:19:15 UTC (rev 317)
@@ -0,0 +1,100 @@
+diff -r ade3eead0e8d -r 82c24356bcd0 NEWS
+--- a/NEWS Fri Mar 28 16:30:14 2008 +0100
++++ b/NEWS Fri Mar 28 17:45:28 2008 +0100
+@@ -8,6 +8,7 @@
+ * added support for If-Range: <date> (#1346)
+ * added support for matching $HTTP["scheme"] in configs
+ * fixed initgroups() called after chroot (#1384)
++ * Fix #285 again: read error after SSL_shutdown (thx marton.illes at balabit.com) and clear the error queue before some other calls
+ * fixed case-sensitive check for Auth-Method (#1456)
+ * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
+ * fixed a bug that made /-prefixed extensions being handled also when
+diff -r ade3eead0e8d -r 82c24356bcd0 src/connections.c
+--- a/src/connections.c Fri Mar 28 16:30:14 2008 +0100
++++ b/src/connections.c Fri Mar 28 17:45:28 2008 +0100
+@@ -199,6 +199,7 @@
+
+ /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+
++ ERR_clear_error();
+ do {
+ if (!con->ssl_error_want_reuse_buffer) {
+ b = buffer_init();
+@@ -1668,21 +1669,51 @@
+ }
+ #ifdef USE_OPENSSL
+ if (srv_sock->is_ssl) {
+- int ret;
++ int ret, ssl_r;
++ unsigned long err;
++ ERR_clear_error();
+ switch ((ret = SSL_shutdown(con->ssl))) {
+ case 1:
+ /* ok */
+ break;
+ case 0:
+- SSL_shutdown(con->ssl);
+- break;
++ ERR_clear_error();
++ if (-1 != (ret = SSL_shutdown(con->ssl))) break;
++
++ // fall through
+ default:
+- log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+- SSL_get_error(con->ssl, ret),
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
++
++ switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
++ case SSL_ERROR_WANT_WRITE:
++ case SSL_ERROR_WANT_READ:
++ break;
++ case SSL_ERROR_SYSCALL:
++ /* perhaps we have error waiting in our error-queue */
++ if (0 != (err = ERR_get_error())) {
++ do {
++ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++ ssl_r, ret,
++ ERR_error_string(err, NULL));
++ } while((err = ERR_get_error()));
++ } else {
++ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
++ ssl_r, r, errno,
++ strerror(errno));
++ }
++
++ break;
++ default:
++ while((err = ERR_get_error())) {
++ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++ ssl_r, ret,
++ ERR_error_string(err, NULL));
++ }
++
++ break;
++ }
+ }
+ }
++ ERR_clear_error();
+ #endif
+
+ switch(con->mode) {
+diff -r ade3eead0e8d -r 82c24356bcd0 src/network_openssl.c
+--- a/src/network_openssl.c Fri Mar 28 16:30:14 2008 +0100
++++ b/src/network_openssl.c Fri Mar 28 17:45:28 2008 +0100
+@@ -85,6 +85,7 @@
+ *
+ */
+
++ ERR_clear_error();
+ if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
+ unsigned long err;
+
+@@ -187,6 +188,7 @@
+
+ close(ifd);
+
++ ERR_clear_error();
+ if ((r = SSL_write(ssl, s, toSend)) <= 0) {
+ unsigned long err;
+
More information about the pkg-lighttpd-maintainers
mailing list