main/lighttpd: upgrade to 1.4.34

author: Natanael Copa <ncopa@alpinelinux.org> 2014-01-22 09:52:43 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2014-01-22 09:52:43 +0000
commit: 561c2fbe72739aa470090162d79703061f01538e (patch)
tree: ee3fe262846be75e057d717ea1251d3cfe7decf7 /main/lighttpd
parent: c56ab776e606e80dec67f1c9fb0f6d790659cf42 (diff)
download: aports-561c2fbe72739aa470090162d79703061f01538e.tar.bz2
aports-561c2fbe72739aa470090162d79703061f01538e.tar.xz
5 files changed, 5 insertions, 439 deletions
diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
index 297becee8..d5c57d985 100644
--- a/main/lighttpd/APKBUILD
+++ b/main/lighttpd/APKBUILD
@@ -1,8 +1,8 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=lighttpd
-pkgver=1.4.33
+pkgver=1.4.34
 _streamver=2.2.0
-pkgrel=3
+pkgrel=0
 pkgdesc="a secure, fast, compliant and very flexible web-server"
 url="http://www.lighttpd.net/"
 arch="all"
@@ -15,10 +15,6 @@ makedepends="flex pcre-dev openssl-dev zlib-dev bzip2-dev lua-dev pkgconfig
 	automake autoconf openldap-dev libxml2-dev sqlite-dev libev-dev"
 source="http://download.lighttpd.net/lighttpd/releases-1.4.x/$pkgname-$pkgver.tar.bz2
 	http://h264.code-shop.com/download/lighttpd-1.4.18_mod_h264_streaming-$_streamver.tar.gz
-	CVE-2013-4508.patch
-	CVE-2013-4508b.patch
-	CVE-2013-4559.patch
-	CVE-2013-4560.patch
 
 	$pkgname.initd
 	$pkgname.confd
@@ -144,12 +140,8 @@ mod_webdav() {
 }
 
 
-md5sums="e66b8164e5fc5a6beec0823b697fbe1d  lighttpd-1.4.33.tar.bz2
+md5sums="1071c172ccdd3ba31b56292661236d4b  lighttpd-1.4.34.tar.bz2
 ac37885c881a058194405232e7737a7a  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
-a511605bb658386a09892c578dfc1edb  CVE-2013-4508.patch
-89dba7992857f6173b64305142c0a79d  CVE-2013-4508b.patch
-a17ed4614cdd6273d6cde40d48dbbf0e  CVE-2013-4559.patch
-f903d74285300a4323aafb9cd6e59aa0  CVE-2013-4560.patch
 aa1f130f66607615143b2b497c55b177  lighttpd.initd
 0dede109282bfe685bdec6b35f0e4b6b  lighttpd.confd
 ad091c9157134890499f26d170352c9f  lighttpd.logrotate
@@ -160,12 +152,8 @@ fef397e7bcf1b741dea211a555e1803c  mime-types.conf
 9c1407e95f62ed22da66c4ef5f69c3b5  mod_cgi.conf
 f3363e39832f1b6678468b482d121afb  mod_fastcgi.conf
 aee5947a1abf380b0685a534ca384b42  mod_fastcgi_fpm.conf"
-sha256sums="2ff2324658c0f90e7d39afd40f08f11ca230903b9019c31a2bbecd8f087f235e  lighttpd-1.4.33.tar.bz2
+sha256sums="e4b5682ef21b0bdea4a18dc7ccac6b5a0bf526b691ad0fe5c25c8b9fc38d0c12  lighttpd-1.4.34.tar.bz2
 732cf98d823f2c7ddc96a3130a3c88d588b02ed20a0e7f8c9be25a265fbea2d6  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
-08b2529e527a9810fd46fa2e33529a05f70b58e06b5d908a9c8126778a8f8284  CVE-2013-4508.patch
-d5c3740de1322b52d13387a797b191f5fe61aa542c58dfa828e778cedf674580  CVE-2013-4508b.patch
-82c2b19fcf807d4d32732aa72a62b7d31a0988290b227c98b0399cfa98da91a4  CVE-2013-4559.patch
-d87655bbfc597216476c2674d9018aa556f7b6e592c9313c94c82e141b9bff2f  CVE-2013-4560.patch
 14a769551522d7c05319db2efd6b03962638413e4a3d58a0ee5f3f4760d33f16  lighttpd.initd
 94f69a173dc26610a43532474230537b9bc31ec846fb9f94cb72765f125edf87  lighttpd.confd
 503ee1cd454e2c0f9a212ef60dc8321893eda06ccf721ecbe94d189a09e0bc6c  lighttpd.logrotate
@@ -176,12 +164,8 @@ bfa452a849165f921a2febf0b06879db18c4c921f156b1452d06bb821063f768  spawn-fcgi.con
 322656b4cfd22ca9f1f8ab160e0b932f1646622422fd49c6fc82ab416223eecf  mod_cgi.conf
 d1adc1358b5d9e85353caa2e706bfa231d145dd59c075cdcb3f818b3cb5d722e  mod_fastcgi.conf
 e7eb047360e09d1a2b693f08d4a912b99954090c5bdea706f46a33554e867043  mod_fastcgi_fpm.conf"
-sha512sums="f380adb20944846340b409290c43d54188f94e7992fe1e90121ab866f75048dfb7c2c1592b07b1df0af3b6d12b60d1d7e5d41de75c8684b8939b3df736f00762  lighttpd-1.4.33.tar.bz2
+sha512sums="ad8b25090f81bcb55d3aac89cd17119ed3574a86756992bf36f7d302cf5966006bbc4a76e2d3926a4f096c0db30b01722aa7fb7fa556200ace6c3b82874d81ee  lighttpd-1.4.34.tar.bz2
 12e1b7c8146cccfa78678ce56cd2f704423559b23b90996dff00602634f110512146386086ac234293a3c28900a06c2bec1c97e680e7eed5173372f88177b351  lighttpd-1.4.18_mod_h264_streaming-2.2.0.tar.gz
-2f0c876ee11e64cb4df5e1a59fe907c680b7825b8c6acc12d3697bc0ceaf0f3eee223702b04a7f14a9e7e5d55e027b6181b9837a3d5a7476b10f90a9b8b1238e  CVE-2013-4508.patch
-521e0828009b37d936d15564734568b0e0180b2261d40562d686f3abc10c4a8780524b404788f21d09fecefeabbd588c2cb8dce0c242f6dec693c2f664c296e2  CVE-2013-4508b.patch
-63c200180d11658a3341061e3ac0d404504b9ef97927e8673ac78a2c41c8169b0e1c4e37d6da08de9d6c4fc390e452f256207dc850f85f8bdd761c6b4e3f58a7  CVE-2013-4559.patch
-c7d699df342ad2822fddf6f20bddac9c069d3eeeaf20067781728ed341a36a9a1cc5c430ff2d5d1e1a422a31c3fcf7e8752bb034df69df15d8de3b179c757024  CVE-2013-4560.patch
 3d92f1f2fab79d12570e445d0bfba1c3b53898c6eeb323ec2171a289417c01039746f722c5e00bac36ea7fc433e3e7422b64f8952ad780b3d68e010ef3d8bf61  lighttpd.initd
 93a05dddab14ba6355a0345f1da2fe900c8b55fed8f98506295dc12d96c7cef803c4aca77f016b8acea7bbde485be1e09a57d31fdca6f91023fbeb4db9a90a8b  lighttpd.confd
 e1284fe9ab4b9a53c21b40a5ac3e77e66343e187321b8a2f7464db64747f3a99f7e17a9e7c0e298db84a24fa1286cfe344dbff182eddd9de5c0605f5397a6972  lighttpd.logrotate
diff --git a/main/lighttpd/CVE-2013-4508.patch b/main/lighttpd/CVE-2013-4508.patch
deleted file mode 100644
index 416008a59..000000000
--- a/main/lighttpd/CVE-2013-4508.patch
+++ /dev/null
@@ -1,354 +0,0 @@
-Index: lighttpd-1.4.x/src/network.c
-===================================================================
---- lighttpd-1.4.x/src/network.c	(revision 2912)
-+++ lighttpd-1.4.x/src/network.c	(revision 2913)
-@@ -112,20 +112,46 @@
- 	config_patch_connection(srv, con, COMP_HTTP_SCHEME);
- 	config_patch_connection(srv, con, COMP_HTTP_HOST);
- 
--	if (NULL == con->conf.ssl_ctx) {
--		/* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
-+	if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) {
-+		/* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
- 		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
--			"null SSL_CTX for TLS server name", con->tlsext_server_name);
-+			"no certificate/private key for TLS server name", con->tlsext_server_name);
- 		return SSL_TLSEXT_ERR_ALERT_FATAL;
- 	}
- 
--	/* switch to new SSL_CTX in reaction to a client's server_name extension */
--	if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
--		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
--			"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
-+	/* first set certificate! setting private key checks whether certificate matches it */
-+	if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) {
-+		log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
-+			"failed to set certificate for TLS server name", con->tlsext_server_name,
-+			ERR_error_string(ERR_get_error(), NULL));
- 		return SSL_TLSEXT_ERR_ALERT_FATAL;
- 	}
- 
-+	if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) {
-+		log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
-+			"failed to set private key for TLS server name", con->tlsext_server_name,
-+			ERR_error_string(ERR_get_error(), NULL));
-+		return SSL_TLSEXT_ERR_ALERT_FATAL;
-+	}
-+
-+	if (con->conf.ssl_verifyclient) {
-+		if (NULL == con->conf.ssl_ca_file_cert_names) {
-+			log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
-+				"can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
-+				ERR_error_string(ERR_get_error(), NULL));
-+			return SSL_TLSEXT_ERR_ALERT_FATAL;
-+		}
-+
-+		SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names));
-+		/* forcing verification here is really not that useful - a client could just connect without SNI */
-+		SSL_set_verify(
-+			ssl,
-+			SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
-+			NULL
-+		);
-+		SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
-+	}
-+
- 	return SSL_TLSEXT_ERR_OK;
- }
- #endif
-@@ -491,9 +517,100 @@
- 	NETWORK_BACKEND_SOLARIS_SENDFILEV
- } network_backend_t;
- 
-+#ifdef USE_OPENSSL
-+static X509* x509_load_pem_file(server *srv, const char *file) {
-+	BIO *in;
-+	X509 *x = NULL;
-+
-+	in = BIO_new(BIO_s_file());
-+	if (NULL == in) {
-+		log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed");
-+		goto error;
-+	}
-+
-+	if (BIO_read_filename(in,file) <= 0) {
-+		log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
-+		goto error;
-+	}
-+	x = PEM_read_bio_X509(in, NULL, NULL, NULL);
-+
-+	if (NULL == x) {
-+		log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'");
-+		goto error;
-+	}
-+
-+	BIO_free(in);
-+	return x;
-+
-+error:
-+	if (NULL != x) X509_free(x);
-+	if (NULL != in) BIO_free(in);
-+	return NULL;
-+}
-+
-+static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
-+	BIO *in;
-+	EVP_PKEY *x = NULL;
-+
-+	in=BIO_new(BIO_s_file());
-+	if (NULL == in) {
-+		log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed");
-+		goto error;
-+	}
-+
-+	if (BIO_read_filename(in,file) <= 0) {
-+		log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
-+		goto error;
-+	}
-+	x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
-+
-+	if (NULL == x) {
-+		log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'");
-+		goto error;
-+	}
-+
-+	BIO_free(in);
-+	return x;
-+
-+error:
-+	if (NULL != x) EVP_PKEY_free(x);
-+	if (NULL != in) BIO_free(in);
-+	return NULL;
-+}
-+
-+static int network_openssl_load_pemfile(server *srv, size_t ndx) {
-+	specific_config *s = srv->config_storage[ndx];
-+
-+#ifdef OPENSSL_NO_TLSEXT
-+	{
-+		data_config *dc = (data_config *)srv->config_context->data[i];
-+		if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ))
-+			|| !s->ssl_enabled) {
-+			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
-+					"ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
-+			return -1;
-+		}
-+	}
-+#endif
-+
-+	if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
-+	if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
-+
-+	if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
-+		log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
-+				"Private key does not match the certificate public key, reason:",
-+				ERR_error_string(ERR_get_error(), NULL),
-+				s->ssl_pemfile);
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+#endif
-+
- int network_init(server *srv) {
- 	buffer *b;
--	size_t i;
-+	size_t i, j;
- 	network_backend_t backend;
- 
- #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-@@ -580,19 +697,8 @@
- 		long ssloptions =
- 			SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
- 
--		if (buffer_is_empty(s->ssl_pemfile)) continue;
-+		if (buffer_is_empty(s->ssl_pemfile) && buffer_is_empty(s->ssl_ca_file)) continue;
- 
--#ifdef OPENSSL_NO_TLSEXT
--		{
--			data_config *dc = (data_config *)srv->config_context->data[i];
--			if (COMP_HTTP_HOST == dc->comp) {
--			    log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
--					    "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
--			    return -1;
--			}
--		}
--#endif
--
- 		if (srv->ssl_is_init == 0) {
- 			SSL_load_error_strings();
- 			SSL_library_init();
-@@ -606,6 +712,29 @@
- 			}
- 		}
- 
-+		if (!buffer_is_empty(s->ssl_pemfile)) {
-+#ifdef OPENSSL_NO_TLSEXT
-+			data_config *dc = (data_config *)srv->config_context->data[i];
-+			if (COMP_HTTP_HOST == dc->comp) {
-+				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
-+						"can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
-+				return -1;
-+			}
-+#endif
-+			if (network_openssl_load_pemfile(srv, i)) return -1;
-+		}
-+
-+
-+		if (!buffer_is_empty(s->ssl_ca_file)) {
-+			s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
-+			if (NULL == s->ssl_ca_file_cert_names) {
-+				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-+						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
-+			}
-+		}
-+
-+		if (buffer_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
-+
- 		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
- 			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
- 					ERR_error_string(ERR_get_error(), NULL));
-@@ -721,45 +850,42 @@
- #endif
- #endif
- 
--		if (!buffer_is_empty(s->ssl_ca_file)) {
--			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
--				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
--						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
--				return -1;
--			}
--			if (s->ssl_verifyclient) {
--				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
--				if (!certs) {
-+		/* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
-+		for (j = 0; j < srv->config_context->used; j++) {
-+			specific_config *s1 = srv->config_storage[j];
-+
-+			if (!buffer_is_empty(s1->ssl_ca_file)) {
-+				if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) {
- 					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
--							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
--				}
--				if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
--					log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
--						ERR_error_string(ERR_get_error(), NULL));
-+							ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file);
- 					return -1;
- 				}
--				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
--				SSL_CTX_set_verify(
--					s->ssl_ctx,
--					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
--					NULL
-+			}
-+		}
-+
-+		if (s->ssl_verifyclient) {
-+			if (NULL == s->ssl_ca_file_cert_names) {
-+				log_error_write(srv, __FILE__, __LINE__, "s",
-+					"SSL: You specified ssl.verifyclient.activate but no ca_file"
- 				);
--				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
-+				return -1;
- 			}
--		} else if (s->ssl_verifyclient) {
--			log_error_write(
--				srv, __FILE__, __LINE__, "s",
--				"SSL: You specified ssl.verifyclient.activate but no ca_file"
-+			SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
-+			SSL_CTX_set_verify(
-+				s->ssl_ctx,
-+				SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
-+				NULL
- 			);
-+			SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
- 		}
- 
--		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
-+		if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
- 			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- 					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
- 			return -1;
- 		}
- 
--		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
-+		if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) {
- 			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- 					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
- 			return -1;
-@@ -856,7 +982,6 @@
- 	for (i = 1; i < srv->config_context->used; i++) {
- 		data_config *dc = (data_config *)srv->config_context->data[i];
- 		specific_config *s = srv->config_storage[i];
--		size_t j;
- 
- 		/* not our stage */
- 		if (COMP_SERVER_SOCKET != dc->comp) continue;
-Index: lighttpd-1.4.x/src/base.h
-===================================================================
---- lighttpd-1.4.x/src/base.h	(revision 2912)
-+++ lighttpd-1.4.x/src/base.h	(revision 2913)
-@@ -320,7 +320,11 @@
- 	off_t *global_bytes_per_second_cnt_ptr; /*  */
- 
- #ifdef USE_OPENSSL
--	SSL_CTX *ssl_ctx;
-+	SSL_CTX *ssl_ctx; /* not patched */
-+	/* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
-+	EVP_PKEY *ssl_pemfile_pkey;
-+	X509 *ssl_pemfile_x509;
-+	STACK_OF(X509_NAME) *ssl_ca_file_cert_names;
- #endif
- } specific_config;
- 
-Index: lighttpd-1.4.x/src/server.c
-===================================================================
---- lighttpd-1.4.x/src/server.c	(revision 2912)
-+++ lighttpd-1.4.x/src/server.c	(revision 2913)
-@@ -314,6 +314,9 @@
- 			buffer_free(s->ssl_verifyclient_username);
- #ifdef USE_OPENSSL
- 			SSL_CTX_free(s->ssl_ctx);
-+			EVP_PKEY_free(s->ssl_pemfile_pkey);
-+			X509_free(s->ssl_pemfile_x509);
-+			if (NULL != s->ssl_ca_file_cert_names) sk_X509_NAME_pop_free(s->ssl_ca_file_cert_names, X509_NAME_free);
- #endif
- 			free(s);
- 		}
-Index: lighttpd-1.4.x/src/configfile.c
-===================================================================
---- lighttpd-1.4.x/src/configfile.c	(revision 2912)
-+++ lighttpd-1.4.x/src/configfile.c	(revision 2913)
-@@ -339,9 +339,13 @@
- 
- 	PATCH(ssl_pemfile);
- #ifdef USE_OPENSSL
--	PATCH(ssl_ctx);
-+	PATCH(ssl_pemfile_x509);
-+	PATCH(ssl_pemfile_pkey);
- #endif
- 	PATCH(ssl_ca_file);
-+#ifdef USE_OPENSSL
-+	PATCH(ssl_ca_file_cert_names);
-+#endif
- 	PATCH(ssl_cipher_list);
- 	PATCH(ssl_dh_file);
- 	PATCH(ssl_ec_curve);
-@@ -409,10 +413,14 @@
- 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
- 				PATCH(ssl_pemfile);
- #ifdef USE_OPENSSL
--				PATCH(ssl_ctx);
-+				PATCH(ssl_pemfile_x509);
-+				PATCH(ssl_pemfile_pkey);
- #endif
- 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
- 				PATCH(ssl_ca_file);
-+#ifdef USE_OPENSSL
-+				PATCH(ssl_ca_file_cert_names);
-+#endif
- 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
- 				PATCH(ssl_honor_cipher_order);
- 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
diff --git a/main/lighttpd/CVE-2013-4508b.patch b/main/lighttpd/CVE-2013-4508b.patch
deleted file mode 100644
index dc732340b..000000000
--- a/main/lighttpd/CVE-2013-4508b.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Index: lighttpd-1.4.x/src/network.c
-===================================================================
---- lighttpd-1.4.x/src/network.c	(revision 2924)
-+++ lighttpd-1.4.x/src/network.c	(revision 2925)
-@@ -741,6 +741,14 @@
- 			return -1;
- 		}
- 
-+		/* completely useless identifier; required for client cert verification to work with sessions */
-+		if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
-+			log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
-+				"failed to set session context",
-+				ERR_error_string(ERR_get_error(), NULL));
-+			return -1;
-+		}
-+
- 		if (s->ssl_empty_fragments) {
- #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
- 			ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
diff --git a/main/lighttpd/CVE-2013-4559.patch b/main/lighttpd/CVE-2013-4559.patch
deleted file mode 100644
index e277f2a71..000000000
--- a/main/lighttpd/CVE-2013-4559.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: lighttpd-1.4.x/src/server.c
-===================================================================
---- lighttpd-1.4.x/src/server.c	(revision 2922)
-+++ lighttpd-1.4.x/src/server.c	(revision 2923)
-@@ -820,8 +820,14 @@
- 		 * to /etc/group
- 		 * */
- 		if (NULL != grp) {
--			setgid(grp->gr_gid);
--			setgroups(0, NULL);
-+			if (-1 == setgid(grp->gr_gid)) {
-+				log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno));
-+				return -1;
-+			}
-+			if (-1 == setgroups(0, NULL)) {
-+				log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno));
-+				return -1;
-+			}
- 			if (srv->srvconf.username->used) {
- 				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
- 			}
-@@ -844,7 +850,10 @@
- #ifdef HAVE_PWD_H
- 		/* drop root privs */
- 		if (NULL != pwd) {
--			setuid(pwd->pw_uid);
-+			if (-1 == setuid(pwd->pw_uid)) {
-+				log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno));
-+				return -1;
-+			}
- 		}
- #endif
- #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
diff --git a/main/lighttpd/CVE-2013-4560.patch b/main/lighttpd/CVE-2013-4560.patch
deleted file mode 100644
index bd5af70a5..000000000
--- a/main/lighttpd/CVE-2013-4560.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: lighttpd-1.4.x/src/stat_cache.c
-===================================================================
---- lighttpd-1.4.x/src/stat_cache.c	(revision 2920)
-+++ lighttpd-1.4.x/src/stat_cache.c	(revision 2921)
-@@ -648,6 +648,7 @@
- 						FamErrlist[FAMErrno]);
- 
- 				fam_dir_entry_free(fam_dir);
-+				fam_dir = NULL;
- 			} else {
- 				int osize = 0;
-
author	Natanael Copa <ncopa@alpinelinux.org>	2014-01-22 09:52:43 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2014-01-22 09:52:43 +0000
commit	561c2fbe72739aa470090162d79703061f01538e (patch)
tree	ee3fe262846be75e057d717ea1251d3cfe7decf7 /main/lighttpd
parent	c56ab776e606e80dec67f1c9fb0f6d790659cf42 (diff)
download	aports-561c2fbe72739aa470090162d79703061f01538e.tar.bz2 aports-561c2fbe72739aa470090162d79703061f01538e.tar.xz