Debian Bug report logs - #729480
SSL connections with client certificates no longer working

version graph

Package: lighttpd; Maintainer for lighttpd is Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>; Source for lighttpd is src:lighttpd.

Reported by: gator_ml@yahoo.de

Date: Wed, 13 Nov 2013 13:03:02 UTC

Severity: serious

Tags: patch

Found in versions lighttpd/1.4.31-4+deb7u1, lighttpd/1.4.33-1+nmu1

Fixed in versions lighttpd/1.4.33-1+nmu2, lighttpd/1.4.28-2+squeeze1.5, lighttpd/1.4.31-4+deb7u2

Done: Stefan Fritsch <sf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729480; Package lighttpd. (Wed, 13 Nov 2013 13:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to gator_ml@yahoo.de:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Wed, 13 Nov 2013 13:03:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: gator_ml@yahoo.de
To: submit@bugs.debian.org
Subject: SSL connections with client certificates no longer working
Date: Wed, 13 Nov 2013 13:51:30 +0100
Package: lighttpd
Version: 1.4.31-4+deb7u1
Severity: important

I am running a webserver that only offers https and normally requires
client certificates. When I install the security upgrade
1.4.31-4+deb7u1 and restart lighttpd, with some delay (when I keep
hitting reload in a client, it works 5-10 times) no more connections
with client certificates succeed.

Firefox reports "connection was interrupted", chrome
ERR_SSL_PROTOCOL_ERROR, lighttpd's error log fills with messages saying:
 (connections.c.305) SSL: 1 error:140D9115:SSL 
 routines:SSL_GET_PREV_SESSION:session id context uninitialized

"regualar" https-Connections (w/o client certificate) continue to
work. After restarting lighttpd, everything works again for a little
while, then trouble starts again.

With lighttpd 1.4.31-4 everything works fine; this problem definitely
has been introduced with the security patches for 1.4.31-4+deb7u1.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729480; Package lighttpd. (Wed, 13 Nov 2013 13:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Bühler <stbuehler@lighttpd.net>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Wed, 13 Nov 2013 13:45:04 GMT) Full text and rfc822 format available.

Message #10 received at 729480@bugs.debian.org (full text, mbox):

From: Stefan Bühler <stbuehler@lighttpd.net>
To: gator_ml@yahoo.de, 729480@bugs.debian.org
Subject: Re: Bug#729480: SSL connections with client certificates no longer working
Date: Wed, 13 Nov 2013 14:33:42 +0100
Hi,

On Wed, 13 Nov 2013 13:51:30 +0100
gator_ml@yahoo.de wrote:

> Package: lighttpd
> Version: 1.4.31-4+deb7u1
> Severity: important
> 
> I am running a webserver that only offers https and normally requires
> client certificates. When I install the security upgrade
> 1.4.31-4+deb7u1 and restart lighttpd, with some delay (when I keep
> hitting reload in a client, it works 5-10 times) no more connections
> with client certificates succeed.
> 
> Firefox reports "connection was interrupted", chrome
> ERR_SSL_PROTOCOL_ERROR, lighttpd's error log fills with messages
> saying: (connections.c.305) SSL: 1 error:140D9115:SSL 
>  routines:SSL_GET_PREV_SESSION:session id context uninitialized
> 
> "regualar" https-Connections (w/o client certificate) continue to
> work. After restarting lighttpd, everything works again for a little
> while, then trouble starts again.
> 
> With lighttpd 1.4.31-4 everything works fine; this problem definitely
> has been introduced with the security patches for 1.4.31-4+deb7u1.
> 

Damn.

Previously we called
  SSL_CTX_set_session_id_context
and set some internal as pointer, but only if the context was for
enabled "verify-peer".

As we now enable "verify-peer" for a connection on the fly, this part
was removed from the code.

After all, why would it be necessary to set a context only if we had to
verify peers? (Also setting an internal pointer felt wrong)

Turns out, that is exactly what openssl wants, without any good reason:
(quoting ssl_sess.c:~564)
 /* We can't be sure if this session is being used out of
  * context, which is especially important for SSL_VERIFY_PEER.
  * The application should have used SSL[_CTX]_set_session_id_context.
  *
  * For this error case, we generate an error instead of treating
  * the event like a cache miss (otherwise it would be easy for
  * applications to effectively disable the session cache by
  * accident without anyone noticing).
  */

I don't think I'll ever use openssl in any software again...

As I'm not sure yet what the context should actually be (setting an 
internal pointer is definitely wrong, setting a string like "lighttpd"
might work), I don't have a patch ready yet.


Thanks for reporting!

regards,
Stefan (upstream maintainer)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729480; Package lighttpd. (Wed, 13 Nov 2013 17:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Bühler <stbuehler@lighttpd.net>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Wed, 13 Nov 2013 17:42:04 GMT) Full text and rfc822 format available.

Message #15 received at 729480@bugs.debian.org (full text, mbox):

From: Stefan Bühler <stbuehler@lighttpd.net>
To: 729480@bugs.debian.org
Cc: gator_ml@yahoo.de
Subject: Re: Bug#729480: SSL connections with client certificates no longer working
Date: Wed, 13 Nov 2013 18:39:32 +0100
Hi,

I updated our advisory at
  http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
and the patch at
  http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_ssl_sni.patch
with the diff from revision 2925:
  http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925/diff/


Setting id_context in the SNI callback doesn't seem to have any useful
effect, which makes it really an absolutely useless thing.

Sorry for the trouble.

regards,
Stefan



Merged 729480 729555 Request was from Stefan Bühler <stbuehler@lighttpd.net> to control@bugs.debian.org. (Thu, 14 Nov 2013 10:54:05 GMT) Full text and rfc822 format available.

Disconnected #729555 from all other report(s). Request was from Stefan Bühler <stbuehler@lighttpd.net> to control@bugs.debian.org. (Thu, 14 Nov 2013 12:03:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729480; Package lighttpd. (Fri, 15 Nov 2013 12:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to gator_ml@yahoo.de:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Fri, 15 Nov 2013 12:00:05 GMT) Full text and rfc822 format available.

Message #24 received at 729480@bugs.debian.org (full text, mbox):

From: gator_ml@yahoo.de
To: 729480@bugs.debian.org
Cc: Stefan Bühler <stbuehler@lighttpd.net>
Subject: Re: Bug#729480: SSL connections with client certificates no longer working
Date: Fri, 15 Nov 2013 12:57:38 +0100
On 2013-11-13 18:39, Stefan Bühler wrote:
> I updated our advisory at
[...]
> with the diff from revision 2925:
>   http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925/diff/

Thanks a lot for the quick reaction!
I can confirm that with your patch added to the debian package
version 1.4.31-4+deb7u1 my problem is solved!

Regards,
                      Peter



Merged 729480 729555 Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sat, 16 Nov 2013 22:33:05 GMT) Full text and rfc822 format available.

Marked as found in versions lighttpd/1.4.33-1+nmu1. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sat, 16 Nov 2013 22:42:04 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'important' Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sat, 16 Nov 2013 22:42:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729480; Package lighttpd. (Sat, 16 Nov 2013 22:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Sat, 16 Nov 2013 22:51:05 GMT) Full text and rfc822 format available.

Message #35 received at 729480@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 729480@bugs.debian.org
Subject: re: SSL connections with client certificates no longer working
Date: Sat, 16 Nov 2013 17:49:14 -0500
[Message part 1 (text/plain, inline)]
control: tag -1 patch
control: tag -1 pending

Hi, I've uploaded an nmu fixing this issue to delayed/2.  Please see
attached patch.

Best wishes,
Mike
[lighttpd.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from Michael Gilbert <mgilbert@debian.org> to 729480-submit@bugs.debian.org. (Sat, 16 Nov 2013 22:51:05 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Michael Gilbert <mgilbert@debian.org> to 729480-submit@bugs.debian.org. (Sat, 16 Nov 2013 22:51:07 GMT) Full text and rfc822 format available.

Disconnected #729480 from all other report(s). Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 17 Nov 2013 00:15:05 GMT) Full text and rfc822 format available.

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Mon, 18 Nov 2013 23:06:05 GMT) Full text and rfc822 format available.

Notification sent to gator_ml@yahoo.de:
Bug acknowledged by developer. (Mon, 18 Nov 2013 23:06:05 GMT) Full text and rfc822 format available.

Message #46 received at 729480-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 729480-close@bugs.debian.org
Subject: Bug#729480: fixed in lighttpd 1.4.33-1+nmu2
Date: Mon, 18 Nov 2013 23:03:41 +0000
Source: lighttpd
Source-Version: 1.4.33-1+nmu2

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Nov 2013 22:29:07 +0000
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.33-1+nmu2
Distribution: unstable
Urgency: high
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 729480
Changes: 
 lighttpd (1.4.33-1+nmu2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix regression caused by the fix for cve-2013-4508 (closes: #729480).
Checksums-Sha1: 
 6fef1302166aabaf6af87389dc5de774900db488 3413 lighttpd_1.4.33-1+nmu2.dsc
 66e7cf4aedd49e85384aea470b0b92ee49fbe719 32326 lighttpd_1.4.33-1+nmu2.debian.tar.gz
 90dcdb6d04ce4d8831aae4766f40c0bde85a58b4 234068 lighttpd_1.4.33-1+nmu2_amd64.deb
 56546f2d3cbebd6f1229f586108b77d35c6f056e 60494 lighttpd-doc_1.4.33-1+nmu2_all.deb
 97531f2e5492e3bac02892e7ddfe0188c8ca3baa 18970 lighttpd-mod-mysql-vhost_1.4.33-1+nmu2_amd64.deb
 3b0386058cf1d2a41d77f19162287c4ada279643 20282 lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu2_amd64.deb
 508ef1c6a06156ef21a4aae9e57362816b4514fb 22804 lighttpd-mod-cml_1.4.33-1+nmu2_amd64.deb
 7af51b5bfbe881d70a3f4738ee33b2a8d20bf393 23622 lighttpd-mod-magnet_1.4.33-1+nmu2_amd64.deb
 c59085badefe771fa7b750dbba73ff7effb39cf1 29078 lighttpd-mod-webdav_1.4.33-1+nmu2_amd64.deb
Checksums-Sha256: 
 f44f02518bf9f225dbd5a0daa2c8ee4f7474c8b0d5702fa1504f9b982e8a1d72 3413 lighttpd_1.4.33-1+nmu2.dsc
 1dcec0dd427c670f2be185fe529bdb0581fa05ac6cfb3795ce939b895793f833 32326 lighttpd_1.4.33-1+nmu2.debian.tar.gz
 087a7c7e41afbf699b015d99beee60e8ed21c5ae4ff06409bbc2d2e3e520f2f1 234068 lighttpd_1.4.33-1+nmu2_amd64.deb
 6155395b378f3ee5468829bff1196c87f8d6983573c28642e461a9931cd48a9e 60494 lighttpd-doc_1.4.33-1+nmu2_all.deb
 bf2bf5d0da84d6cadd20722a7c8c9b1a56090ec09c3b5cf3e3ce5743177a3209 18970 lighttpd-mod-mysql-vhost_1.4.33-1+nmu2_amd64.deb
 c3567d6647009de7fd0741a5b54559e8cab59f29d75a6c0a5f2095d18ec9ae30 20282 lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu2_amd64.deb
 aafe55d611a76de32d9101f7bc748b4f68ed8426f8ea92e4cfe19557bdc5b6d7 22804 lighttpd-mod-cml_1.4.33-1+nmu2_amd64.deb
 901daee270f2e0236a7727662c09f0e3b5d3ffe5584af41268468ee4e69572aa 23622 lighttpd-mod-magnet_1.4.33-1+nmu2_amd64.deb
 ab0a0009a1decf012406bf37a13083ebeb57d6cc760c388f5f68f3831fcae6c0 29078 lighttpd-mod-webdav_1.4.33-1+nmu2_amd64.deb
Files: 
 e8584daf0201e9d8cdf209920cc62b78 3413 httpd optional lighttpd_1.4.33-1+nmu2.dsc
 a598531dbbe31786dd213fc4410b78e3 32326 httpd optional lighttpd_1.4.33-1+nmu2.debian.tar.gz
 93c804f76cd52cb7a158063c7b3af2d2 234068 httpd optional lighttpd_1.4.33-1+nmu2_amd64.deb
 5a2462d9a5418a3bbf18d1c2e20eeb64 60494 doc optional lighttpd-doc_1.4.33-1+nmu2_all.deb
 aa60a776416dcab8ed54e31c3789c09e 18970 httpd optional lighttpd-mod-mysql-vhost_1.4.33-1+nmu2_amd64.deb
 972f45116fb487bb1e3f4b2608b4bcd0 20282 httpd optional lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu2_amd64.deb
 3a100dc11cd29e4c6e44ad2d336ec8e0 22804 httpd optional lighttpd-mod-cml_1.4.33-1+nmu2_amd64.deb
 974c1b069355c5684328206073d23e15 23622 httpd optional lighttpd-mod-magnet_1.4.33-1+nmu2_amd64.deb
 981893a285243ae85d48c9542ada75e3 29078 httpd optional lighttpd-mod-webdav_1.4.33-1+nmu2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQQcBAEBCgAGBQJSh/WzAAoJELjWss0C1vRzhn0f/0KmEqE38/MEJpV2qYExrcba
KInqHiUFD7y/dRX6HT/giYUg6g/MZzz3/gHUPkP4Zd5GgDkq7NqFK+R33T3HcI2j
3rvNwKpUCK9W/mKm3jfWLzAxVnJyt3XulknFMAs7K4KAFeUWqVT3h+/YtSTqbJW5
MEUIgDovHLsFcBlKUBRPOc36S65Ux3yDYUIGtHii6gadDwqOWlNZVz81hmLYcqUv
UGQgz0BKvhRjGenxY/d08NwfjRKCDeeCNMmyru2V83PTpFuqk7GXGhEYEVPbdCv3
R80U+v0DFmU18c5Szc8/DvVMUIUrh7MLQHVLv68iCWLMelSj1mxagHAYWEeKKDjR
xTVTDJXdbochzXuBeHLqrIt40Gz+vGfwoSirls6KL+osfNHyqqD+gG8jBcjlOX/e
oQa2aql33XbAXDBbMCCCMMf5ZD4676kwR9EaSDsMuUhmvjbUNnV+gSDJK8bwcrr0
eJubGwkL+uxUk9cbrbFzKlZD2uRRSrSB+hnRtVxDabJtOZtxlX65d3hx6K2Rw+zg
9VLSwqUQdxN/9ANAaurbtQG7ikf+jezoHbmkDdSJdn+RmBgU45C6fkSmdHdTkSem
S+3d4NljHg8b1j9PI6xciwLt7vX9ppKmtynNatzbWGieN2kGkJe1igabYzxoo+uN
5DumB6VISj8hP9P6Mb6uWbS4+AhoUJrj6GxLJSdUnZueJt6bWyhEBda13IJKqlkU
iXXiZb75XvuhKL2ySPD1q/XPwr0TyueJtcxzCtBQvAeZhYLN56cFTBnQK5FbZIfj
Dp1i983BnOVbl/IOyui0RjK6o9OR/9xW5viGwALgxcmjvBUJNznq0xt52hHQLI5r
zc059yAVImwD4nFUOd9RkuPYEEVJAhIedb0J7vY2MO1At+vnMvcilHYZNJKC66mZ
sA47c4VKSPCcCqRk9rTRH7hz9IGVGlNsQ/rw7UmbD9GO+YOXoSbKs0piJDP1lWXl
v5Sk2z0D/Fh7CG85Ddc+4QdTmDKmMtH2Ma7XSa/WC4igIBi20SYj8+lg+45oWK+J
SYHXNlisEzjbutG46JsRo1BraVtOaIN7KvzIhGm1XT+ygaYVJtw/2HEyIAIqC7vF
kyPWwLcdbDBGxuzcASVLcNoohvlh+Lyz6b7RFyCxS9Lf3ro1WZ1/xDaioePWu5YX
0RBg0bvkzxbGFB6asXakoxWhdol2gNICNuNLEsZEUYlMqDv+WaDHJCZ7ksiCxukh
NdP3WgG5dfLnRTnk7J1IaE9YAOLlgvCCKWbIspkRX2WGmnytD5TGKFpmQ+KNDGWc
asWidvkyod9bmuDOVM9eWXLbA5vUPvtye59YZS8lCOAGIgylf4KRJrwS8fXaucc=
=0riL
-----END PGP SIGNATURE-----




Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Thu, 28 Nov 2013 22:33:25 GMT) Full text and rfc822 format available.

Notification sent to gator_ml@yahoo.de:
Bug acknowledged by developer. (Thu, 28 Nov 2013 22:33:25 GMT) Full text and rfc822 format available.

Message #51 received at 729480-close@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: 729480-close@bugs.debian.org
Subject: Bug#729480: fixed in lighttpd 1.4.28-2+squeeze1.5
Date: Thu, 28 Nov 2013 22:32:32 +0000
Source: lighttpd
Source-Version: 1.4.28-2+squeeze1.5

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Nov 2013 11:07:04 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source all i386
Version: 1.4.28-2+squeeze1.5
Distribution: oldstable-security
Urgency: low
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 lighttpd   - A fast webserver with minimal memory footprint
 lighttpd-doc - Documentation for lighttpd
 lighttpd-mod-cml - Cache meta language module for lighttpd
 lighttpd-mod-magnet - Control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 729480 729555
Changes: 
 lighttpd (1.4.28-2+squeeze1.5) oldstable-security; urgency=low
 .
   * Non-maintainer upload by the Security Team.
   * Fix regression introduced by fix for cve-2013-4508, related to client
     certificates and SNI. Closes: #729555, #729480
Checksums-Sha1: 
 e79fb8e034a5f9244817f6bcdc11ac9e44cad638 1676 lighttpd_1.4.28-2+squeeze1.5.dsc
 509a23fa34e4d2b03d67bec7b3cb436d886de9f2 35526 lighttpd_1.4.28-2+squeeze1.5.debian.tar.gz
 b407af03ebba354f60148755f0b8dd478d9d36eb 64012 lighttpd-doc_1.4.28-2+squeeze1.5_all.deb
 2e1842ba0b6c4016ca31eacdd206c199863b0aae 276822 lighttpd_1.4.28-2+squeeze1.5_i386.deb
 09c3b01054f753d73f7eb38b915f256a1ee622fc 19238 lighttpd-mod-mysql-vhost_1.4.28-2+squeeze1.5_i386.deb
 2acf284248bb7ce8d8efc7ac0b066ed990ace92e 20776 lighttpd-mod-trigger-b4-dl_1.4.28-2+squeeze1.5_i386.deb
 51f733cfbe71d4ccbdabc9bc246cb4b2fd2996a7 23772 lighttpd-mod-cml_1.4.28-2+squeeze1.5_i386.deb
 597b2c5b95722b6f644a2afc3e75d2e98331d737 24784 lighttpd-mod-magnet_1.4.28-2+squeeze1.5_i386.deb
 fd90be1d0995fcea022cd65cce7bf6caa598790e 31720 lighttpd-mod-webdav_1.4.28-2+squeeze1.5_i386.deb
Checksums-Sha256: 
 ef00a8b7df9a5e780bda986c13cd7f6eb6bfacc285ab1e426834f506d9c70529 1676 lighttpd_1.4.28-2+squeeze1.5.dsc
 718dd85902aeca85218ebae554a0286f782576f7e2597f5aed871b8dcca5a7fc 35526 lighttpd_1.4.28-2+squeeze1.5.debian.tar.gz
 a0ac49b568be83e5e6b9d4fbb3b5617cf6c5d4c1f9202e991b755fd0c205ad95 64012 lighttpd-doc_1.4.28-2+squeeze1.5_all.deb
 ae9016fbcf3d94b2ab4f92dafc7658dfe92b41b52420e162f1ecd7cf51a230f9 276822 lighttpd_1.4.28-2+squeeze1.5_i386.deb
 7659bcb2b2fc5b1aba372e547bf926979d90b08a8f8e2a67ec5f7460a9e89c43 19238 lighttpd-mod-mysql-vhost_1.4.28-2+squeeze1.5_i386.deb
 45a496b7f7bcdf79f3c5eaa7ad5454693835780c33a2b5b59b0833f0c6ce2fad 20776 lighttpd-mod-trigger-b4-dl_1.4.28-2+squeeze1.5_i386.deb
 12e0eb2413e9af29bc8afac167b3c964e2511ed04d7b8ac31cb178d8de79697b 23772 lighttpd-mod-cml_1.4.28-2+squeeze1.5_i386.deb
 42fe011a019f800648be41f6403dbdc6bc9ec366f83f16682ed802bf035c0232 24784 lighttpd-mod-magnet_1.4.28-2+squeeze1.5_i386.deb
 e54609970bc0abe16a6ca7257f94a1247005cdf263f0fb7749c0428ef24145f6 31720 lighttpd-mod-webdav_1.4.28-2+squeeze1.5_i386.deb
Files: 
 0f68e69ea5acbf3cb4fe9019823ef06d 1676 httpd optional lighttpd_1.4.28-2+squeeze1.5.dsc
 bdc45661b02e5d0e39f91395a0f04505 35526 httpd optional lighttpd_1.4.28-2+squeeze1.5.debian.tar.gz
 6b2f600966ac44af880244b015b9a6b4 64012 doc optional lighttpd-doc_1.4.28-2+squeeze1.5_all.deb
 2625dcd339883b912a9292cbaf239b1b 276822 httpd optional lighttpd_1.4.28-2+squeeze1.5_i386.deb
 60185ea2f13a36808bad3b3a9e1cada1 19238 httpd optional lighttpd-mod-mysql-vhost_1.4.28-2+squeeze1.5_i386.deb
 e33d260bb2837a283045d5b2e2bfa05c 20776 httpd optional lighttpd-mod-trigger-b4-dl_1.4.28-2+squeeze1.5_i386.deb
 afe4a02265c89a02b5cf9ab8d4c9bf60 23772 httpd optional lighttpd-mod-cml_1.4.28-2+squeeze1.5_i386.deb
 a7d9ed96bd930363cf92920063f2ff94 24784 httpd optional lighttpd-mod-magnet_1.4.28-2+squeeze1.5_i386.deb
 71f0637b6a3acda746dd02f0be55ac05 31720 httpd optional lighttpd-mod-webdav_1.4.28-2+squeeze1.5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFShKKybxelr8HyTqQRAso6AKDHTJh55+ujX19R6dFizbXyWHtfSACfd3eR
b4GfoHUpBvZJrs6QsMj7mdg=
=GV+O
-----END PGP SIGNATURE-----




Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Thu, 05 Dec 2013 21:21:19 GMT) Full text and rfc822 format available.

Notification sent to gator_ml@yahoo.de:
Bug acknowledged by developer. (Thu, 05 Dec 2013 21:21:19 GMT) Full text and rfc822 format available.

Message #56 received at 729480-close@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: 729480-close@bugs.debian.org
Subject: Bug#729480: fixed in lighttpd 1.4.31-4+deb7u2
Date: Thu, 05 Dec 2013 21:17:19 +0000
Source: lighttpd
Source-Version: 1.4.31-4+deb7u2

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Nov 2013 10:55:41 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source i386 all
Version: 1.4.31-4+deb7u2
Distribution: stable-security
Urgency: high
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 729480 729555
Changes: 
 lighttpd (1.4.31-4+deb7u2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix regression introduced by fix for cve-2013-4508, related to client
     certificates and SNI. Closes: #729555, #729480
Checksums-Sha1: 
 21937c02aad20e15b6b3462ca57f5d8745b73a85 2040 lighttpd_1.4.31-4+deb7u2.dsc
 11616c7aa7de721a07c316010aa970c4d19b6a8a 33310 lighttpd_1.4.31-4+deb7u2.debian.tar.gz
 38d6f15e2fc94a259122c1ba0eefd15a6aa9bbe0 297994 lighttpd_1.4.31-4+deb7u2_i386.deb
 202ec8cd938af46615c08249fb39747cd217fe82 64468 lighttpd-doc_1.4.31-4+deb7u2_all.deb
 77908b959660c3b28acc3f2c229417bd6df2b816 20104 lighttpd-mod-mysql-vhost_1.4.31-4+deb7u2_i386.deb
 bd7d20489b87af5045f02030699264f3434d9c13 21564 lighttpd-mod-trigger-b4-dl_1.4.31-4+deb7u2_i386.deb
 d6f02a954d0ae79cd79a69ab4c05c659eb6cd57a 25468 lighttpd-mod-cml_1.4.31-4+deb7u2_i386.deb
 3aa8f1f807064b717417d1adbb7941b1252cdd17 26434 lighttpd-mod-magnet_1.4.31-4+deb7u2_i386.deb
 bd3dbc06b1f27a6a733d055be8b8e3088dcfaffd 32694 lighttpd-mod-webdav_1.4.31-4+deb7u2_i386.deb
Checksums-Sha256: 
 e045f7869412025e4f0d94055ee7048ab103524819cf13da9e9b462b4eb9fbd5 2040 lighttpd_1.4.31-4+deb7u2.dsc
 d225e7f634fa80374b4610e134c767d911dac77da4b3556b84b603d0e938a4d9 33310 lighttpd_1.4.31-4+deb7u2.debian.tar.gz
 171c3d2849ff1b3a05f385c84f45d5f1d0aa570f0abbeff6365956376a885453 297994 lighttpd_1.4.31-4+deb7u2_i386.deb
 56f36c5831c4e5723f3d2f141d4eb58c44a4e0452d174e9d682820b9cc32a2a3 64468 lighttpd-doc_1.4.31-4+deb7u2_all.deb
 172ddc03da23b745002f274844518e1a5bf295067a8ee61c301942265d84aa27 20104 lighttpd-mod-mysql-vhost_1.4.31-4+deb7u2_i386.deb
 c177bf3ce4251f5ea5dacbdf86fff90b73d81aa309edfa524cef79437a2c47d1 21564 lighttpd-mod-trigger-b4-dl_1.4.31-4+deb7u2_i386.deb
 247d664c5ec9185c0bfe001c13b69f147fd6a35fde8b4ad40192e82c71611ced 25468 lighttpd-mod-cml_1.4.31-4+deb7u2_i386.deb
 1320a068239840bb7a537484fc807c0f0b69f7a0776d21cab0be669a048a85fa 26434 lighttpd-mod-magnet_1.4.31-4+deb7u2_i386.deb
 8754bcccaeaca96ec7b5c31c59e15c21e27fd1c86bb4fd659fdb89d136e3503c 32694 lighttpd-mod-webdav_1.4.31-4+deb7u2_i386.deb
Files: 
 a8323e59728abfab9aada0e14550e16f 2040 httpd optional lighttpd_1.4.31-4+deb7u2.dsc
 961b3e3f674d7cacfafe8c6fe5fd4fed 33310 httpd optional lighttpd_1.4.31-4+deb7u2.debian.tar.gz
 5bd7eeed328a17f48f53a5196cf4f13a 297994 httpd optional lighttpd_1.4.31-4+deb7u2_i386.deb
 aaea994808cc5434c83b664c16606345 64468 doc optional lighttpd-doc_1.4.31-4+deb7u2_all.deb
 1fff33bb6d6351323ad7dafc37871318 20104 httpd optional lighttpd-mod-mysql-vhost_1.4.31-4+deb7u2_i386.deb
 f037a035678193efc8b085efc2c2938d 21564 httpd optional lighttpd-mod-trigger-b4-dl_1.4.31-4+deb7u2_i386.deb
 182f0d21feaf3c046ca1eb70f7a3aeb5 25468 httpd optional lighttpd-mod-cml_1.4.31-4+deb7u2_i386.deb
 4a8b4f414b29553298e8fbfea6ccfabb 26434 httpd optional lighttpd-mod-magnet_1.4.31-4+deb7u2_i386.deb
 9518407cd79fbefc283d4f5ce71dc41f 32694 httpd optional lighttpd-mod-webdav_1.4.31-4+deb7u2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFShKLpbxelr8HyTqQRAsgAAJ9OHoHxh55UTnANLJaf0gjF49f5XACgkrBr
Iwc6oRCSjaRiNHj4PdrsegI=
=iuwe
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 03 Jan 2014 07:30:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 15:38:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.