[pkg-lighttpd] Bug#568519: lighttpd fails proxy connections when upgraded to 1.4.13-4etch12

[Benoit Hamet]

Version: 1.4.13-4etch12
Severity: normal

We are using the same configuration than the one described in this bug
report (https reverse proxy, with apache2 doing the ssl proxying).

the 1.4.13-4etch11 was working fine, but 1.4.13-4etch12 is failing. No
logs in lighttpd, a netstat show that apache2 proxy is trying to connect
to the server, but it's timing out with the same message in apache2 logs.

I guess that the problem comes from :
 - Fix denial of service through slow short requests leading to memory
exhaustion due to bad memory handling (CVE-2010-0295).

I have tried to do the reverse without ssl, and things looks working
(but that's not an option in our case). So why ssl + this fix is not
working ?

Regards.

Benoît.

-- System Information:
Debian Release: 4.0
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages lighttpd depends on:
ii  libattr1              2.4.32-1           Extended attribute shared
library
ii  libbz2-1.0            1.0.3-6            high-quality block-sorting
file co
ii  libc6                 2.3.6.ds1-13etch10 GNU C Library: Shared libraries
ii  libldap2              2.1.30-13.3        OpenLDAP libraries
ii  libpcre3              6.7+7.4-4          Perl 5 Compatible Regular
Expressi
ii  libssl0.9.8           0.9.8c-4etch9      SSL shared libraries
ii  lsb-base              3.1-23.2etch1      Linux Standard Base 3.1
init scrip
ii  mime-support          3.39-1             MIME files 'mime.types' &
'mailcap
ii  zlib1g                1:1.2.3-13         compression library - runtime

Versions of packages lighttpd recommends:
ii  php5-cgi             5.2.0+dfsg-8+etch16 server-side, HTML-embedded
scripti

-- no debconf information