| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 00_no_strip.diff | No stripping of binary file. Prevent unconditional stripping of binary executable by upstream build system. It must be possible to package without stripping, see Debian Policy, Sect. 10.1. |
Mats Erik Andersson <mats.andersson@gisladisker.se> | not-needed | 2010-01-26 | ||
| 10_manpage.diff | Fine tune manual page. Use correct hyphen encoding for use by groff. . Add important information on options '-h' and '-x'. . Mention that '-4' and '-6' imply restriction to a single protocol. . Describe the implemented, but missing option '-~'. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2014-01-14 | ||
| 30_socketinfo.diff | Silence compiler warnings. Declare a local variable to be of type 'socklen_t' instead of 'int'. This variable is used in the system call 'getnameinfo()' and in similar host information calls. |
Mats Erik Andersson <mats.andersson@gisladisker.se> | no | 2010-01-26 | ||
| 32_no_cloexec.diff | Erase FD_CLOEXEC flag. In recent Glibc and kernels, the default action is to set FD_CLOEXEC when duplicating a descriptor. The CGI routine uses an execve() call and the parent starts listening to stdout of the child. Therefore the closing of STDOUT_FILENO must be prevented nowadays. |
Mats Erik Andersson <mats.andersson@gisladisker.se> | no | 2010-01-29 | ||
| 40_request_c.diff | Avoid compiler warnings. Mismatching use of 'unsigned char' is causing compiler warnings. | Mats Erik Andersson <mats.andersson@gisladisker.se> | no | 2010-01-26 | ||
| 70_group_access.diff | Two cases of potential access escalation. For reading access to a file, the checking of group access was incorrectly implemented, using a mixture of user and group identities. . The supplementary group list was only reset in case an explicit group change had been requested, thus opening for potential access escalation. The code is changed to always reset the supplementary group list. This new default behaviour seems to best go with the philosophy of the original software. . Testing could not unveil any noticeable side effect of this latter additional change. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2010-04-14 | ||
| 50_quote_call.diff | Resolve inconsistent signedness use by quote( , ). The source code is written with indiscriminate use of string types 'char *' and 'unsigned char *' when it comes to translate back and forth between url-encoded and unix-path encoded strings. . In 'quote( , )' the string 'buf[2048]' is indeed only used to store true ASCII-characters, it is thus now declared using 'char *'. In this function the first argument can contain extended ASCII characters, so strlen() for the same argument can use a cast, since it only searches for the terminating null character. . Three calls to 'quote( , )' are legitimate, but need to use a cast to unsigned character strings in order to fit the prototype. |
Mats Erik Andersson <mats.andersson@gisladisker.se> | no | 2010-01-27 | ||
| 55_sockopt_v6only.diff | Predictably set socket option IPV6_V6ONLY. The default mode of operation for Webfs was intended to listen on both IPv4 and IPv6. To be certain this always can be done, the patch assigns the socket option a value IPV6_V6ONLY=0, thus overriding any system default that might be in effect. . Conversely, had '-6' been specified, then make sure that IPV6_V6ONLY=1 is used. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2010-02-14 | ||
| 60_error_trapping.diff | Implement a few critical preventive error checks. The error trapping is insufficient in the original source. . The patch prepares for implementing such trapping, and also improves two conditionals which only with later changes will actually matter, but for now are non-intrusive. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2010-03-15 | ||
| 63_gnutls.diff | Implement support for GnuTLS. This patch set implements the option to let GnuTLS replace OpenSSL, which was the only uption in the original source code. . The alterations leave OpenSSL code intact, and also lets GnuTLS be used in a threaded setting. . No client verifications are implemented, neither can the crypto key be protected by a pass phrase at this time. . Explicit linking to "gcrypt". This is needed by "binutils-gold". Reported as LP: #665276. Contributed by Roy Jamison. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2013-10-07 | ||
| 66_further_gnutls.diff | Further useful functionality from libgnutls. Continuing on the first implementation for using libgnutls, this patch set includes further checks and refined properties. . Allow server certificate and key to be contained in separate files. . Allow the server to use a CA-chain file. . Arrange the cipher priorities to be configurable at start up. . Implement some useful verifications of the client certificate and its certificate chain. This is crafted as an on/off-option. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2010-03-26 | ||
| 68_large_files.diff | Transmission of large files in TLS-mode. The legacy signature of ssl_read(), ssl_write() and ssl_blk_write() could not represent correctly sizes larger that 2.2GB. An internal counter needs to be of type ssize_t. . Likewise, the type of the byte counter in "struct REQUEST.bc" must be adapted. . The logging entry coded in "webfsd.c" could not record sizes above 2.2GB correctly, needing a change of format string. . Increase the buffer size in ssl_blk_write() to 16 kB for a slightly better throughput. |
Mats Erik Andersson <debian@gisladisker.se> | no | debian | 2013-10-22 | |
| 75_hardening_flags.diff | Pass compilation flags. Make sure that all of CPPFLAGS, CFLAGS, and LDFLAGS are used in the build process, since they are preload with values by us for hardening of the binary executable. . Remove the switch "-e" which does not work with dash. |
Mats Erik Andersson <debian@gisladisker.se> | not-needed | 2012-08-01 | ||
| 80_cve_2013_0347.diff | CVE-2013-0347, webfs world-readable logdir The log file is created with world-readable permissions by default, which poses a potential security issue. . Temporarily set a stronger umask to 0137. Then open the log file in append mode. This eliminates world's access to a newly created file. |
Mats Erik Andersson <debian@gisladisker.se> | not-needed | debian | 2013-10-07 | |
| 82_kfreebsd.diff | Use kernel's sendfile() with kFreeBSD. When compiling for GNU/kFreeBSD, check whether the library implements sendfile(). If so, go ahead in using it, otherwise fall back to the emulation. Only more recent glibc versions do actually provide a functional sendfile(), all other returning ENOSYS. . A macro DEBUG_XSENDFILE inserts debug logging on kFreeBSD systems. . Rename the sendfile emulation as emulsendfile() and keep it always available. |
Mats Erik Andersson <debian@gisladisker.se> | no | 2014-01-14 | ||
| 85_conditional_gcrypt.diff | Make libgcrypt conditional. More recent versions of libgnutls no longer require libgcrypt as an unconditional dependency. Adjust to this fact. |
Mats Erik Andersson <debian@gisladisker.se> | not-needed | debian | 2014-06-27 |