packages: lighttpd/lighttpd-branch.diff, lighttpd/lighttpd.spec - branch up...

glen glen at pld-linux.org
Thu Dec 8 18:44:39 CET 2011 

Author: glen                         Date: Thu Dec  8 17:44:39 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- branch update:
  [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)

---- Files affected:
packages/lighttpd:
   lighttpd-branch.diff (1.70 -> 1.71) , lighttpd.spec (1.350 -> 1.351) 

---- Diffs:

================================================================
Index: packages/lighttpd/lighttpd-branch.diff
diff -u packages/lighttpd/lighttpd-branch.diff:1.70 packages/lighttpd/lighttpd-branch.diff:1.71
--- packages/lighttpd/lighttpd-branch.diff:1.70	Thu Dec  1 12:11:19 2011
+++ packages/lighttpd/lighttpd-branch.diff	Thu Dec  8 18:44:33 2011
@@ -1,4 +1,4 @@
-# Revision 2812
+# Revision 2815
 Index: src/http_auth_digest.c
 ===================================================================
 --- src/http_auth_digest.c	(.../tags/lighttpd-1.4.29)
@@ -562,7 +562,7 @@
  		cv[62].destination = &(s->ssl_use_sslv3);
  		cv[63].destination = s->ssl_dh_file;
  		cv[64].destination = s->ssl_ec_curve;
-+		cv[65].destination = &(s->ssl_honor_cipher_order);
++		cv[66].destination = &(s->ssl_honor_cipher_order);
 +
  		cv[49].destination = &(s->etag_use_inode);
  		cv[50].destination = &(s->etag_use_mtime);
@@ -1092,7 +1092,7 @@
  					unsigned long err;
  
  					switch ((ssl_r = SSL_get_error(ssl, r))) {
-@@ -243,6 +259,7 @@
+@@ -243,12 +259,13 @@
  				} else {
  					c->offset += r;
  					cq->bytes_out += r;
@@ -1100,6 +1100,13 @@
  				}
  
  				if (c->offset == c->file.length) {
+ 					chunk_finished = 1;
+ 				}
+-			} while(!chunk_finished && !write_wait);
++			} while (!chunk_finished && !write_wait && max_bytes > 0);
+ 
+ 			break;
+ 		}
 @@ -263,11 +280,9 @@
  
  			break;
@@ -1892,12 +1899,29 @@
 ===================================================================
 --- doc/config/lighttpd.conf	(.../tags/lighttpd-1.4.29)
 +++ doc/config/lighttpd.conf	(.../branches/lighttpd-1.4.x)
-@@ -394,6 +394,8 @@
+@@ -394,6 +394,25 @@
  ##   $SERVER["socket"] == "10.0.0.1:443" {
  ##     ssl.engine                  = "enable"
  ##     ssl.pemfile                 = "/etc/ssl/private/www.example.com.pem"
++##     #
++##     # Mitigate BEAST attack:
++##     #
++##     # A stricter base cipher suite. For details see:
 +##     # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
-+##     ssl.ciphers                 = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++##     #
++##     ssl.ciphers                 = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++##     #
++##     # Make the server prefer the order of the server side cipher suite instead of the client suite.
++##     # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
++##     # This option is enabled by default, but only used if ssl.ciphers is set.
++##     #
++##     # ssl.honor-cipher-order = "enable"
++##     #
++##     # Mitigate CVE-2009-3555 by disabling client triggered renegotation
++##     # This is enabled by default.
++##     #
++##     # ssl.disable-client-renegotiation = "enable"
++##     #
  ##     server.name                 = "www.example.com"
  ##
  ##     server.document-root        = "/srv/www/vhosts/example.com/www/"
@@ -1907,7 +1931,7 @@
 ===================================================================
 --- NEWS	(.../tags/lighttpd-1.4.29)
 +++ NEWS	(.../branches/lighttpd-1.4.x)
-@@ -3,7 +3,19 @@
+@@ -3,7 +3,20 @@
  NEWS
  ====
  
@@ -1923,6 +1947,7 @@
 +  * [ssl] count renegotiations to prevent client renegotiations
 +  * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
 +  * [core] accept dots in ipv6 addresses in host header (fixes #2359)
++  * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
 +
 +- 1.4.29 - 2011-07-03
    * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)

================================================================
Index: packages/lighttpd/lighttpd.spec
diff -u packages/lighttpd/lighttpd.spec:1.350 packages/lighttpd/lighttpd.spec:1.351
--- packages/lighttpd/lighttpd.spec:1.350	Thu Dec  1 12:11:19 2011
+++ packages/lighttpd/lighttpd.spec	Thu Dec  8 18:44:33 2011
@@ -30,7 +30,7 @@
 Summary(pl.UTF-8):	Szybki i lekki serwer HTTP
 Name:		lighttpd
 Version:	1.4.29
-Release:	4
+Release:	5
 License:	BSD
 Group:		Networking/Daemons/HTTP
 Source0:	http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.bz2
@@ -1319,6 +1319,10 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.351  2011/12/08 17:44:33  glen
+- branch update:
+  [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
+
 Revision 1.350  2011/12/01 11:11:19  glen
 - update branch diff:
   [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/lighttpd/lighttpd-branch.diff?r1=1.70&r2=1.71&f=u
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/lighttpd/lighttpd.spec?r1=1.350&r2=1.351&f=u

More information about the pld-cvs-commit mailing list