Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#37765 - [lighttpd] security patches for 3 CVE

Attached to Project: Arch Linux
Opened by RbN (RbN) - Thursday, 14 November 2013, 19:34 GMT
Last edited by Pierre Schmitz (Pierre) - Friday, 15 November 2013, 09:45 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Friday, 15 November 2013, 09:45 GMT
Reason for closing:  Fixed
Comment by Dave Reisner (falconindy) - Thursday, 14 November 2013, 19:55 GMT
[0] Does not apply to 1.4.33
[1] Does not apply to 1.4.33, and Arch doesn't even use FAM in lighttpd.

I'd hope that for a fix as large as [2], upstream would simply do a new release... Have you looked into the release schedule for (I suppose) 1.4.34?
Comment by RbN (RbN) - Thursday, 14 November 2013, 20:21 GMT
Ho sorry, i mis-read the announcements, my bad!

AFAIK, they will release a 1.4.34 soon, but i don't know when exactly.
Comment by Pierre Schmitz (Pierre) - Friday, 15 November 2013, 09:45 GMT
I m not sure about CVE-2013-4559; while the txt says 1.4.33 is not affected, the patch applies and it will be part of the next release.

As it is really easy to add these patches, I prefer being safe than sorry here and just pushed a new package. I also included the FAM patch for those who compile from source.

It is unfortunate that there is no upstream announcement an no talk about a new release.