• 09. Apr
  • 12:26
  • 2010

  • Updated
  • 20. Sep
  • 11:22
  • 2010

Lighty on Lenny

All of my sites are powered by lighttpd. Therefore I was pretty shocked when I read that there is a serious flaw in lighttpd prior to 1.4.26 which allows massive DoS. I'm running debian lenny and this will show you how to backport lighttpd 1.4.26 from unstable.

Backporting Software

Add the testing repos to your /etc/apt/sources.list

sudo vim /etc/apt/sources.list

At the end of the file append this:

deb-src http://ftp.at.debian.org/debian/ testing main

Save and exit

Update

sudo apt-get update

Then we need the devscripts. Their purpose is to let us rebuild .deb packages. Don't be shocked if you get a screen filled with dependencies, that's ok - just say Yes.

sudo apt-get install devscripts

Last but not least we will create a folder where all our backports will go into

mkdir backports

Let's start backporting lighttpd. However, hold on! We can't backport lighttpd yet.

quilt

We first have to backport quilt. A tool which is used by debian to manage patches. Unfortunately lennie's version can't be used for the new lighttpd.

mkdir quilt
cd quilt

Now let's install everything that's needed to build quilt. This step is awesomely easy thanks to apt's super cow powers.

sudo apt-get build-dep quilt

Then we get the newest quilt source from debian testing

apt-get source quilt

This downloads some files into our quilt folder, for example the folder quilt-0.48 (at the time of this writing). You guessed it - we need to cd there!

cd quilt-0.48

Now comes the fun part: building a *.deb. Easy as pulling a trigger.

debuild -us -uc

Where did the deb go? Into the parent folder:

cd ..

Install

sudo dpkg -i quilt_0.48-6_all.deb

Finally, let's backport..

lighttpd

This is pretty much the same as above:

cd ~/backports
mkdir lighttpd
cd lighttpd
sudo apt-get build-dep lighttpd
apt-get source lighttpd
cd lighttpd-1.4.26-1
debuild -us -uc
cd ..

Stop here. Before you install the new lighttpd I have to tell you about a bug.
Debian ship's with a use-ipv6.pl. This script causes lighty to not be able to bind to a port. Therefore it is commented out in newer config files that ship with debian's lighty. I tell you this because dpkg will ask you if you want to overwrite your lighttpd.conf. I chose No because I already commented out the following line:

## Use ipv6 only if available
include_shell "/usr/share/lighttpd/use-ipv6.pl"

Comment it out for good!
Now if you do

sudo dpkg -i lighttpd_1.4.26-1.1_all.deb

and choose to not overwrite your lighttpd.conf, lighttpd will flawlessly restart.
Let me be the first to welcome you to your backported lighttpd 1.4.26!

fastcgi-php

Conscious reader fabs found a problem when wanting to use fastcgi in combination with php. Luckily he also found a solution to his problem:

lighty-enable-mod fastcgi-php && /etc/init.d/lighttpd force-reload

Thanks fabs!

blog comments powered by Disqus

This is Luis’ blog. Here he posts about stuff that he encounters in everday life, both virtual and real.

Recently he wrote “Complete Facebook Profile?”, “Lighttpd's X-Sendfile”, “Modular Lighttpd Configurations”, “Fool Facebook's Like-Button” and “Calculating Battery Health”.

Contact