Lighttpd

2015-05-28

17:50 Bug #2646 (Fixed): Log injection vulnerability in mod_auth

Applied in changeset r2989. stbuehler

17:47 Revision 2989 (svn): escape all strings for logging (fixes #2646 log file injection, reported by Jaanus Kääp)

From: Stefan Bühler <stbuehler@web.de> stbuehler

15:47 Revision 427120b4: escape all strings for logging (fixes #2646 log file injection, reported by Jaanus Kääp)

From: Stefan Bühler <stbuehler@web.de>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2989 152a... stbuehler

2015-05-27

22:31 Bug #1849: Webdav Mac OS 10.5 Finder incompatibility

same behaviour confirmed with Mac OSX 10.9.5 and lighttpd 1.4.31-4+deb7u3 okalou

2015-05-26

17:58 Bug #2647 (Fixed): disable sslv3 protocol by default

r2969 - committed some months ago stbuehler

14:58 Bug #2647 (Fixed): disable sslv3 protocol by default

sslv3 protocol should be probably disabled by default (in the same way how sslv2 is) to mitigate "POODLE" vulnerabili... petrs

13:48 Bug #2646: Log injection vulnerability in mod_auth

Possible fix:... petrs

2015-05-25

19:19 Bug #2646 (Fixed): Log injection vulnerability in mod_auth

Reported via mail by Jaanus Kääp (http://jaanuskp.blogspot.de/2015/05/cve-2015-3200.html)
When basic HTTP authenti... stbuehler

2015-05-22

17:52 Bug #1499 (Reopened): HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set.

this is not fixed (I'm on 1.4.31-4+deb7u3)
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubun... transacid