upgrade to lighttpd 1.4.19. security and bug fix update. CVE-2008-1270

looks good jasper@

www/lighttpd/Makefile

@@ -1,11 +1,10 @@
-# $OpenBSD: Makefile,v 1.48 2008/03/02 10:04:22 jasper Exp $
+# $OpenBSD: Makefile,v 1.49 2008/03/16 18:43:31 brad Exp $
 
 SHARED_ONLY=	Yes
 
 COMMENT=	secure, fast, compliant, and very flexible web-server
 
-DISTNAME=	lighttpd-1.4.18
-PKGNAME=	${DISTNAME}p0
+DISTNAME=	lighttpd-1.4.19
 CATEGORIES=	www net
 MASTER_SITES=	${HOMEPAGE}/download/
 

www/lighttpd/distinfo

@@ -1,5 +1,5 @@
-MD5 (lighttpd-1.4.18.tar.gz) = XbMgTVdDagMviZ/52855Pw==
-RMD160 (lighttpd-1.4.18.tar.gz) = 38oV5LAqQFzInc37mg+BN5cc+yQ=
-SHA1 (lighttpd-1.4.18.tar.gz) = MOskzfz+rfEPoW8YczC9xd6yXtI=
-SHA256 (lighttpd-1.4.18.tar.gz) = l9CsWVd0XurzEew467vzswpTFrAcMgp1mvRxKcmUwgw=
-SIZE (lighttpd-1.4.18.tar.gz) = 803361
+MD5 (lighttpd-1.4.19.tar.gz) = zt5BDnre4+oUIGdJGQqLXQ==
+RMD160 (lighttpd-1.4.19.tar.gz) = fb4qIgUeGPQDe0juSBHiyXONIM8=
+SHA1 (lighttpd-1.4.19.tar.gz) = eeLWHdkBfDxQwP6YsiicrlwSVe4=
+SHA256 (lighttpd-1.4.19.tar.gz) = RFMkuVgR4o7RryPbA2SBNs4zR4HomrhY+0/VcQFvsd8=
+SIZE (lighttpd-1.4.19.tar.gz) = 815568

www/lighttpd/patches/patch-doc_lighttpd_conf

@@ -1,7 +1,7 @@
-$OpenBSD: patch-doc_lighttpd_conf,v 1.4 2007/09/10 20:41:59 rui Exp $
---- doc/lighttpd.conf.orig	Tue Aug 14 20:05:57 2007
-+++ doc/lighttpd.conf	Mon Sep 10 21:18:56 2007
-@@ -186,10 +186,10 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fc
+$OpenBSD: patch-doc_lighttpd_conf,v 1.5 2008/03/16 18:43:31 brad Exp $
+--- doc/lighttpd.conf.orig	Thu Jan 17 07:41:14 2008
++++ doc/lighttpd.conf	Tue Mar 11 16:37:56 2008
+@@ -187,10 +187,10 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fc
  #server.chroot              = "/"
  
  ## change uid to <uid> (default: don't care)

www/lighttpd/patches/patch-src_fdevent_solaris_devpoll_c

@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_fdevent_solaris_devpoll_c,v 1.1 2008/03/02 10:04:22 jasper Exp $
---- src/fdevent_solaris_devpoll.c.orig	Fri Feb 29 15:51:27 2008
-+++ src/fdevent_solaris_devpoll.c	Fri Feb 29 15:51:47 2008
-@@ -67,7 +67,7 @@ static int fdevent_solaris_devpoll_poll(fdevents *ev, 
- 	int ret;
- 
- 	dopoll.dp_timeout = timeout_ms;
--	dopoll.dp_nfds = ev->maxfds;
-+	dopoll.dp_nfds = ev->maxfds - 1;
- 	dopoll.dp_fds = ev->devpollfds;
- 
- 	ret = ioctl(ev->devpoll_fd, DP_POLL, &dopoll);

www/lighttpd/patches/patch-src_mod_compress_c

@@ -0,0 +1,14 @@
+$OpenBSD: patch-src_mod_compress_c,v 1.1 2008/03/16 18:43:31 brad Exp $
+--- src/mod_compress.c.orig	Sun Mar 16 09:14:55 2008
++++ src/mod_compress.c	Sun Mar 16 09:15:28 2008
+@@ -178,9 +178,9 @@ SETDEFAULTS_FUNC(mod_compress_setdefaults) {
+ 		}
+ 
+ 		if (!buffer_is_empty(s->compress_cache_dir)) {
++			struct stat st;
+ 			mkdir_recursive(s->compress_cache_dir->ptr);
+ 
+-			struct stat st;
+ 			if (0 != stat(s->compress_cache_dir->ptr, &st)) {
+ 				log_error_write(srv, __FILE__, __LINE__, "sbs", "can't stat compress.cache-dir",
+ 						s->compress_cache_dir, strerror(errno));

www/lighttpd/patches/patch-src_mod_extforward_c

@@ -0,0 +1,14 @@
+$OpenBSD: patch-src_mod_extforward_c,v 1.1 2008/03/16 18:43:31 brad Exp $
+--- src/mod_extforward.c.orig	Sun Mar 16 09:16:32 2008
++++ src/mod_extforward.c	Sun Mar 16 09:17:07 2008
+@@ -281,8 +281,9 @@ static int is_proxy_trusted(const char *ipstr, plugin_
+ static const char *last_not_in_array(array *a, plugin_data *p)
+ {
+ 	array *forwarder = p->conf.forwarder;
++	int i;
+ 
+-	for (int i = a->used - 1; i >= 0; i--) {
++	for (i = a->used - 1; i >= 0; i--) {
+ 		data_string *ds = (data_string *)a->data[i];
+ 		const char *ip = ds->value->ptr;
+ 

www/lighttpd/patches/patch-src_server_c

@@ -1,49 +0,0 @@
-$OpenBSD: patch-src_server_c,v 1.5 2008/03/02 10:04:22 jasper Exp $
---- src/server.c.orig	Fri Feb 29 15:52:04 2008
-+++ src/server.c	Fri Feb 29 18:59:11 2008
-@@ -697,9 +697,6 @@ int main (int argc, char **argv) {
- 			}
- 		}
- 
--		/* #372: solaris need some fds extra for devpoll */
--		if (rlim.rlim_cur > 10) rlim.rlim_cur -= 10;
--
- 		if (srv->event_handler == FDEVENT_HANDLER_SELECT) {
- 			srv->max_fds = rlim.rlim_cur < FD_SETSIZE - 200 ? rlim.rlim_cur : FD_SETSIZE - 200;
- 		} else {
-@@ -759,6 +756,19 @@ int main (int argc, char **argv) {
- 
- 			return -1;
- 		}
-+
-+#ifdef HAVE_PWD_H
-+		/**
-+		 * initgroups() has to be called before chroot()
-+		 */
-+		if (srv->srvconf.groupname->used) {
-+			setgid(grp->gr_gid);
-+			setgroups(0, NULL);
-+			if (srv->srvconf.username->used) {
-+				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
-+			}
-+		}
-+#endif
- #ifdef HAVE_CHROOT
- 		if (srv->srvconf.changeroot->used) {
- 			tzset();
-@@ -775,15 +785,7 @@ int main (int argc, char **argv) {
- #endif
- #ifdef HAVE_PWD_H
- 		/* drop root privs */
--		if (srv->srvconf.groupname->used) {
--			setgid(grp->gr_gid);
--			setgroups(0, NULL);
--		}
--
- 		if (srv->srvconf.username->used) {
--			if (srv->srvconf.groupname->used) {
--				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
--			}
- 			setuid(pwd->pw_uid);
- 		}
- #endif

www/lighttpd/patches/patch-src_spawn-fcgi_c

@@ -1,36 +0,0 @@
-$OpenBSD: patch-src_spawn-fcgi_c,v 1.1 2008/03/02 10:04:22 jasper Exp $
---- src/spawn-fcgi.c.orig	Fri Feb 29 18:59:42 2008
-+++ src/spawn-fcgi.c	Fri Feb 29 19:02:19 2008
-@@ -404,6 +404,18 @@ int main(int argc, char **argv) {
- 			}
- 		}
- 
-+		/*
-+		 * Change group before chroot, when we have access
-+		 * to /etc/group
-+		 */
-+		if (groupname) {
-+			setgid(grp->gr_gid);
-+			setgroups(0, NULL);
-+			if (username) {
-+				initgroups(username, grp->gr_gid);
-+			}
-+		}
-+
- 		if (changeroot) {
- 			if (-1 == chroot(changeroot)) {
- 				fprintf(stderr, "%s.%d: %s %s\n",
-@@ -420,13 +432,7 @@ int main(int argc, char **argv) {
- 		}
- 
- 		/* drop root privs */
--		if (groupname) {
--			setgid(grp->gr_gid);
--		}
- 		if (username) {
--			if (groupname) {
--				initgroups(username, grp->gr_gid);
--			}
- 			setuid(pwd->pw_uid);
- 		}
- 	}