diff -Nru lighttpd-1.4.35/debian/changelog lighttpd-1.4.35/debian/changelog --- lighttpd-1.4.35/debian/changelog 2016-04-18 15:26:58.000000000 +0000 +++ lighttpd-1.4.35/debian/changelog 2019-01-31 16:23:05.000000000 +0000 @@ -1,3 +1,12 @@ +lighttpd (1.4.35-4ubuntu2.1) xenial-security; urgency=medium + + * SECURITY UPDATE: Fix vulnerability in HTTPoxy. + - debian/patches/CVE-2016-1000212.patch: Mitigation for HTTPoxy + vulnerability. + - CVE-2016-1000212 + + -- Paulo Flabiano Smorigo Thu, 31 Jan 2019 14:20:05 -0200 + lighttpd (1.4.35-4ubuntu2) xenial; urgency=medium * Rebuild for libmysqlclient20. diff -Nru lighttpd-1.4.35/debian/patches/CVE-2016-1000212.patch lighttpd-1.4.35/debian/patches/CVE-2016-1000212.patch --- lighttpd-1.4.35/debian/patches/CVE-2016-1000212.patch 1970-01-01 00:00:00.000000000 +0000 +++ lighttpd-1.4.35/debian/patches/CVE-2016-1000212.patch 2019-01-31 16:23:30.000000000 +0000 @@ -0,0 +1,125 @@ +commit 779c133c16f9af168b004dce7a2a64f16c1cb3a4 +Author: Glenn Strauss +Date: Mon Jul 18 22:59:33 2016 -0400 + + [security] do not emit HTTP_PROXY to CGI env + + Strip bogus "Proxy" header before creating subprocess environment. + (mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy) + + Do not emit HTTP_PROXY to subprocess environment. + Some executables use HTTP_PROXY to configure outgoing proxy. + + This is not a lighttpd security issue per se, but this change to + lighttpd adds a layer of defense to protect backend processes which + might be vulnerable due to blindly using this untrusted environment + variable. The HTTP_PROXY environment variable should not be trusted + by a program running in a CGI-like environment. + + Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header: + + * Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content: + if (lighty.request["Proxy"] == nil) then return 0 else return 403 end + * Modify lighttpd.conf to load mod_magnet and run lua code + server.modules += ( "mod_magnet" ) + magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" ) + + References: + + https://www.kb.cert.org/vuls/id/797896 + CGI web servers assign Proxy header values from client requests to + internal HTTP_PROXY environment variables + + https://httpoxy.org/ + httpoxy: A CGI application vulnerability + +--- lighttpd-1.4.35.orig/src/mod_cgi.c ++++ lighttpd-1.4.35/src/mod_cgi.c +@@ -949,7 +949,14 @@ static int cgi_create_env(server *srv, c + + ds = (data_string *)con->request.headers->data[n]; + +- if (ds->value->used && ds->key->used) { ++ if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) { ++ /* Do not emit HTTP_PROXY in environment. ++ * Some executables use HTTP_PROXY to configure ++ * outgoing proxy. See also https://httpoxy.org/ */ ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) { ++ continue; ++ } ++ + size_t j; + + buffer_reset(p->tmp_buf); +--- lighttpd-1.4.35.orig/src/mod_fastcgi.c ++++ lighttpd-1.4.35/src/mod_fastcgi.c +@@ -1777,7 +1777,14 @@ static int fcgi_env_add_request_headers( + + ds = (data_string *)con->request.headers->data[i]; + +- if (ds->value->used && ds->key->used) { ++ if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) { ++ /* Do not emit HTTP_PROXY in environment. ++ * Some executables use HTTP_PROXY to configure ++ * outgoing proxy. See also https://httpoxy.org/ */ ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) { ++ continue; ++ } ++ + size_t j; + buffer_reset(srv->tmp_buf); + +--- lighttpd-1.4.35.orig/src/mod_proxy.c ++++ lighttpd-1.4.35/src/mod_proxy.c +@@ -473,9 +473,13 @@ static int proxy_create_env(server *srv, + + ds = (data_string *)con->request.headers->data[i]; + +- if (ds->value->used && ds->key->used) { +- if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Connection"))) continue; +- if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Proxy-Connection"))) continue; ++ if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) { ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Connection"))) continue; ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy-Connection"))) continue; ++ /* Do not emit HTTP_PROXY in environment. ++ * Some executables use HTTP_PROXY to configure ++ * outgoing proxy. See also https://httpoxy.org/ */ ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) continue; + + buffer_append_string_buffer(b, ds->key); + buffer_append_string_len(b, CONST_STR_LEN(": ")); +--- lighttpd-1.4.35.orig/src/mod_scgi.c ++++ lighttpd-1.4.35/src/mod_scgi.c +@@ -1424,7 +1424,13 @@ static int scgi_env_add_request_headers( + + ds = (data_string *)con->request.headers->data[i]; + +- if (ds->value->used && ds->key->used) { ++ if (!buffer_is_empty(ds->value) && !buffer_is_empty(ds->key)) { ++ /* Do not emit HTTP_PROXY in environment. ++ * Some executables use HTTP_PROXY to configure ++ * outgoing proxy. See also https://httpoxy.org/ */ ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) { ++ continue; ++ } + size_t j; + buffer_reset(srv->tmp_buf); + +--- lighttpd-1.4.35.orig/src/mod_ssi.c ++++ lighttpd-1.4.35/src/mod_ssi.c +@@ -177,7 +177,14 @@ static int ssi_env_add_request_headers(s + buffer_reset(srv->tmp_buf); + + /* don't forward the Authorization: Header */ +- if (0 == strcasecmp(ds->key->ptr, "AUTHORIZATION")) { ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Authorization"))) { ++ continue; ++ } ++ ++ /* Do not emit HTTP_PROXY in environment. ++ * Some executables use HTTP_PROXY to configure ++ * outgoing proxy. See also https://httpoxy.org/ */ ++ if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) { + continue; + } + diff -Nru lighttpd-1.4.35/debian/patches/series lighttpd-1.4.35/debian/patches/series --- lighttpd-1.4.35/debian/patches/series 2015-01-26 00:50:41.000000000 +0000 +++ lighttpd-1.4.35/debian/patches/series 2019-01-31 16:23:22.000000000 +0000 @@ -3,3 +3,4 @@ no-sslv3.patch build-dev-package.patch add-lighttpd.pc-configure.patch +CVE-2016-1000212.patch