Project

General

Profile

Bug #63

duplicate config vars are not reported

Added by Anonymous over 14 years ago. Updated over 12 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

I am a new user of lighttpd and was trying to setup fastcgi support for php. After this worked I then tried to make my cgi's work as well. I duplicated the entries that I had. After much time spent on the #lighttpd irc channel weigon_ spent much time helping me along. It was then determined that my duplication of my fastcgi.server section was the cause of my problems. After running ktrace and kdump this duplicate configuration variable was not reported.

hence this ticket.

-- bcook

Associated revisions

Revision fb87ae86 (diff)
Added by gstrauss over 2 years ago

[mod_openssl] safer_X509_NAME_oneline() (fixes #2693)

provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.

The manpage for X509_NAME_oneline() says:

The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

github: closes #63, closes #83

x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/83

History

#1

Updated by jan over 14 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in changeset r267 which should apply cleanly to older versions too.

Also available in: Atom