Hi, here is the patch for the security upload.
Best wishes, Mike
diff -Nru lighttpd-1.4.33/debian/changelog lighttpd-1.4.33/debian/changelog --- lighttpd-1.4.33/debian/changelog 2013-11-16 22:32:00.000000000 +0000 +++ lighttpd-1.4.33/debian/changelog 2014-03-13 01:26:48.000000000 +0000 @@ -1,3 +1,11 @@ +lighttpd (1.4.33-1+nmu3) unstable; urgency=high + + * Non-maintainer upload by the Security Team (closes: #741493). + * Fix cve-2014-2323: mod_mysql_vhost SQL injection. + * Fix cve-2014-2334: traversal through paths involving "[...]". + + -- Michael Gilbert <mgilb...@debian.org> Thu, 13 Mar 2014 00:29:44 +0000 + lighttpd (1.4.33-1+nmu2) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru lighttpd-1.4.33/debian/patches/cve-2014-2323.patch lighttpd-1.4.33/debian/patches/cve-2014-2323.patch --- lighttpd-1.4.33/debian/patches/cve-2014-2323.patch 1970-01-01 00:00:00.000000000 +0000 +++ lighttpd-1.4.33/debian/patches/cve-2014-2323.patch 2014-03-13 01:06:07.000000000 +0000 @@ -0,0 +1,36 @@ +description: fix cve-2014-2323 +author: Stephan Buhler +origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt + +--- a/src/mod_mysql_vhost.c 2014-03-13 01:00:35.467830244 +0000 ++++ b/src/mod_mysql_vhost.c 2014-03-13 01:02:48.407829917 +0000 +@@ -351,6 +351,7 @@ + mod_mysql_vhost_patch_connection(srv, con, p); + + if (!p->conf.mysql) return HANDLER_GO_ON; ++ if (0 == p->conf.mysql_pre->used) return HANDLER_GO_ON; + + /* sets up connection data if not done yet */ + c = mod_mysql_vhost_connection_data(srv, con, p_d); +@@ -362,10 +363,19 @@ + /* build and run SQL query */ + buffer_copy_string_buffer(p->tmp_buf, p->conf.mysql_pre); + if (p->conf.mysql_post->used) { +- buffer_append_string_buffer(p->tmp_buf, con->uri.authority); ++ /* escape the uri.authority */ ++ unsigned long to_len; ++ ++ /* 'to' has to be 'from_len * 2 + 1' */ ++ buffer_prepare_append(p->tmp_buf, (con->uri.authority->used - 1) * 2 + 1); ++ ++ to_len = mysql_real_escape_string(p->conf.mysql, ++ p->tmp_buf->ptr + p->tmp_buf->used - 1, ++ con->uri.authority->ptr, con->uri.authority->used - 1); ++ p->tmp_buf->used += to_len; + buffer_append_string_buffer(p->tmp_buf, p->conf.mysql_post); + } +- if (mysql_query(p->conf.mysql, p->tmp_buf->ptr)) { ++ if (mysql_real_query(p->conf.mysql, p->tmp_buf->ptr, p->tmp_buf->used - 1)) { + log_error_write(srv, __FILE__, __LINE__, "s", mysql_error(p->conf.mysql)); + goto ERR500; + } diff -Nru lighttpd-1.4.33/debian/patches/cve-2014-2324.patch lighttpd-1.4.33/debian/patches/cve-2014-2324.patch --- lighttpd-1.4.33/debian/patches/cve-2014-2324.patch 1970-01-01 00:00:00.000000000 +0000 +++ lighttpd-1.4.33/debian/patches/cve-2014-2324.patch 2014-03-13 01:06:15.000000000 +0000 @@ -0,0 +1,26 @@ +description: fix cve-2014-2324 +author: Stephan Buhler +origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt + +--- a/src/request.c (revision 2958) ++++ b/src/request.c (revision 2959) +@@ -43,7 +43,7 @@ + char *c = host->ptr + 1; + int colon_cnt = 0; + +- /* check portnumber */ ++ /* check the address inside [...] */ + for (; *c && *c != ']'; c++) { + if (*c == ':') { + if (++colon_cnt > 7) { +@@ -67,6 +67,10 @@ + } + } + } ++ else if ('\0' != *(c+1)) { ++ /* only a port is allowed to follow [...] */ ++ return -1; ++ } + return 0; + } + diff -Nru lighttpd-1.4.33/debian/patches/series lighttpd-1.4.33/debian/patches/series --- lighttpd-1.4.33/debian/patches/series 2013-11-16 22:28:26.000000000 +0000 +++ lighttpd-1.4.33/debian/patches/series 2014-03-13 01:04:10.000000000 +0000 @@ -1,3 +1,5 @@ cve-2013-4508.patch cve-2013-4559.patch cve-2013-4560.patch +cve-2014-2323.patch +cve-2014-2324.patch
