aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Gustavo Zacarias <gustavo@zacarias.com.ar>2014-01-20 15:19:06 -0300
committerGravatar Peter Korsgaard <peter@korsgaard.com>2014-01-20 22:23:29 +0100
commit8e12b490f8787ae02b851f4fba7e028baa9ea1b0 (patch)
tree7bc6ff661163865afafae1ef5f471af8fb408d16
parent485f07dd4c41a211041e73351b4477e21bbc2d68 (diff)
downloadbuildroot-8e12b490f8787ae02b851f4fba7e028baa9ea1b0.tar.gz
buildroot-8e12b490f8787ae02b851f4fba7e028baa9ea1b0.tar.bz2
lighttpd: bump to version 1.4.34
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/lighttpd/lighttpd-02-mod_extforward.patch14
-rw-r--r--package/lighttpd/lighttpd-03-fix_fam_use_after_free.patch22
-rw-r--r--package/lighttpd/lighttpd-04-fix_setuid.patch43
-rw-r--r--package/lighttpd/lighttpd-05-fix_ssl_sni.patch369
-rw-r--r--package/lighttpd/lighttpd.mk2
5 files changed, 1 insertions, 449 deletions
diff --git a/package/lighttpd/lighttpd-02-mod_extforward.patch b/package/lighttpd/lighttpd-02-mod_extforward.patch
deleted file mode 100644
index 3efd2b1e02..0000000000
--- a/package/lighttpd/lighttpd-02-mod_extforward.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-From http://redmine.lighttpd.net/issues/2515
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
---- a/src/mod_extforward.c (revision 2909)
-+++ b/src/mod_extforward.c (working copy)
-@@ -439,7 +439,6 @@
- #ifdef HAVE_IPV6
- ipstr_to_sockaddr(srv, real_remote_addr, &sock);
- #else
-- UNUSED(addrs_left);
- sock.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr);
- sock.plain.sa_family = (sock.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET;
- #endif
diff --git a/package/lighttpd/lighttpd-03-fix_fam_use_after_free.patch b/package/lighttpd/lighttpd-03-fix_fam_use_after_free.patch
deleted file mode 100644
index 9d0e78ba09..0000000000
--- a/package/lighttpd/lighttpd-03-fix_fam_use_after_free.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-commit ae1335503a8f63489f847668ee37df8470a2ab0a
-Author: Stefan Bühler <stbuehler@web.de>
-Date: Wed Nov 13 11:43:28 2013 +0000
-
- [stat-cache] FAM: fix use after free (CVE-2013-4560)
-
- From: Stefan Bühler <stbuehler@web.de>
-
- git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2921 152afb58-edef-0310-8abb-c4023f1b3aa9
-
-diff --git a/src/stat_cache.c b/src/stat_cache.c
-index e995f3b..924f4dc 100644
---- a/src/stat_cache.c
-+++ b/src/stat_cache.c
-@@ -648,6 +648,7 @@ handler_t stat_cache_get_entry(server *srv, connection *con, buffer *name, stat_
- FamErrlist[FAMErrno]);
-
- fam_dir_entry_free(fam_dir);
-+ fam_dir = NULL;
- } else {
- int osize = 0;
-
diff --git a/package/lighttpd/lighttpd-04-fix_setuid.patch b/package/lighttpd/lighttpd-04-fix_setuid.patch
deleted file mode 100644
index cb7f563530..0000000000
--- a/package/lighttpd/lighttpd-04-fix_setuid.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-commit 99cddff73ab4023186bcfca54cbb73051140e15d
-Author: Stefan Bühler <stbuehler@web.de>
-Date: Wed Nov 13 11:43:33 2013 +0000
-
- [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
-
- From: Stefan Bühler <stbuehler@web.de>
-
- git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2923 152afb58-edef-0310-8abb-c4023f1b3aa9
-
-diff --git a/src/server.c b/src/server.c
-index 2d825bb..e2b42eb 100644
---- a/src/server.c
-+++ b/src/server.c
-@@ -820,8 +820,14 @@ int main (int argc, char **argv) {
- * to /etc/group
- * */
- if (NULL != grp) {
-- setgid(grp->gr_gid);
-- setgroups(0, NULL);
-+ if (-1 == setgid(grp->gr_gid)) {
-+ log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno));
-+ return -1;
-+ }
-+ if (-1 == setgroups(0, NULL)) {
-+ log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno));
-+ return -1;
-+ }
- if (srv->srvconf.username->used) {
- initgroups(srv->srvconf.username->ptr, grp->gr_gid);
- }
-@@ -844,7 +850,10 @@ int main (int argc, char **argv) {
- #ifdef HAVE_PWD_H
- /* drop root privs */
- if (NULL != pwd) {
-- setuid(pwd->pw_uid);
-+ if (-1 == setuid(pwd->pw_uid)) {
-+ log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno));
-+ return -1;
-+ }
- }
- #endif
- #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
diff --git a/package/lighttpd/lighttpd-05-fix_ssl_sni.patch b/package/lighttpd/lighttpd-05-fix_ssl_sni.patch
deleted file mode 100644
index 63094d89ab..0000000000
--- a/package/lighttpd/lighttpd-05-fix_ssl_sni.patch
+++ /dev/null
@@ -1,369 +0,0 @@
-commit 1af871fcef97574c71870309d572d6b1026ee605
-Author: Stefan Bühler <stbuehler@web.de>
-Date: Tue Nov 5 15:29:07 2013 +0000
-
- [ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508)
-
- pull all ssl.ca-file values into all SSL_CTXs, but use only the local
- ssl.ca-file for verify-client; correct SNI name is no requirement,
- so enforcing verification for a subset of SNI names doesn't actually
- protect those.
-
- From: Stefan Bühler <stbuehler@web.de>
-
- git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2913 152afb58-edef-0310-8abb-c4023f1b3aa9
-
-diff --git a/NEWS b/NEWS
-diff --git a/src/base.h b/src/base.h
-index 5d79a33..6a8df14 100644
---- a/src/base.h
-+++ b/src/base.h
-@@ -320,7 +320,11 @@ typedef struct {
- off_t *global_bytes_per_second_cnt_ptr; /* */
-
- #ifdef USE_OPENSSL
-- SSL_CTX *ssl_ctx;
-+ SSL_CTX *ssl_ctx; /* not patched */
-+ /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
-+ EVP_PKEY *ssl_pemfile_pkey;
-+ X509 *ssl_pemfile_x509;
-+ STACK_OF(X509_NAME) *ssl_ca_file_cert_names;
- #endif
- } specific_config;
-
-diff --git a/src/configfile.c b/src/configfile.c
-index 7408ed0..18b36b3 100644
---- a/src/configfile.c
-+++ b/src/configfile.c
-@@ -339,9 +339,13 @@ int config_setup_connection(server *srv, connection *con) {
-
- PATCH(ssl_pemfile);
- #ifdef USE_OPENSSL
-- PATCH(ssl_ctx);
-+ PATCH(ssl_pemfile_x509);
-+ PATCH(ssl_pemfile_pkey);
- #endif
- PATCH(ssl_ca_file);
-+#ifdef USE_OPENSSL
-+ PATCH(ssl_ca_file_cert_names);
-+#endif
- PATCH(ssl_cipher_list);
- PATCH(ssl_dh_file);
- PATCH(ssl_ec_curve);
-@@ -409,10 +413,14 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
- PATCH(ssl_pemfile);
- #ifdef USE_OPENSSL
-- PATCH(ssl_ctx);
-+ PATCH(ssl_pemfile_x509);
-+ PATCH(ssl_pemfile_pkey);
- #endif
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
- PATCH(ssl_ca_file);
-+#ifdef USE_OPENSSL
-+ PATCH(ssl_ca_file_cert_names);
-+#endif
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
- PATCH(ssl_honor_cipher_order);
- } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
-diff --git a/src/network.c b/src/network.c
-index cb0564f..f6d890b 100644
---- a/src/network.c
-+++ b/src/network.c
-@@ -112,20 +112,46 @@ static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
- config_patch_connection(srv, con, COMP_HTTP_SCHEME);
- config_patch_connection(srv, con, COMP_HTTP_HOST);
-
-- if (NULL == con->conf.ssl_ctx) {
-- /* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
-+ if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) {
-+ /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-- "null SSL_CTX for TLS server name", con->tlsext_server_name);
-+ "no certificate/private key for TLS server name", con->tlsext_server_name);
- return SSL_TLSEXT_ERR_ALERT_FATAL;
- }
-
-- /* switch to new SSL_CTX in reaction to a client's server_name extension */
-- if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
-- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-- "failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
-+ /* first set certificate! setting private key checks whether certificate matches it */
-+ if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) {
-+ log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
-+ "failed to set certificate for TLS server name", con->tlsext_server_name,
-+ ERR_error_string(ERR_get_error(), NULL));
-+ return SSL_TLSEXT_ERR_ALERT_FATAL;
-+ }
-+
-+ if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) {
-+ log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
-+ "failed to set private key for TLS server name", con->tlsext_server_name,
-+ ERR_error_string(ERR_get_error(), NULL));
- return SSL_TLSEXT_ERR_ALERT_FATAL;
- }
-
-+ if (con->conf.ssl_verifyclient) {
-+ if (NULL == con->conf.ssl_ca_file_cert_names) {
-+ log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
-+ "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
-+ ERR_error_string(ERR_get_error(), NULL));
-+ return SSL_TLSEXT_ERR_ALERT_FATAL;
-+ }
-+
-+ SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names));
-+ /* forcing verification here is really not that useful - a client could just connect without SNI */
-+ SSL_set_verify(
-+ ssl,
-+ SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
-+ NULL
-+ );
-+ SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
-+ }
-+
- return SSL_TLSEXT_ERR_OK;
- }
- #endif
-@@ -491,9 +517,100 @@ typedef enum {
- NETWORK_BACKEND_SOLARIS_SENDFILEV
- } network_backend_t;
-
-+#ifdef USE_OPENSSL
-+static X509* x509_load_pem_file(server *srv, const char *file) {
-+ BIO *in;
-+ X509 *x = NULL;
-+
-+ in = BIO_new(BIO_s_file());
-+ if (NULL == in) {
-+ log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed");
-+ goto error;
-+ }
-+
-+ if (BIO_read_filename(in,file) <= 0) {
-+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
-+ goto error;
-+ }
-+ x = PEM_read_bio_X509(in, NULL, NULL, NULL);
-+
-+ if (NULL == x) {
-+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'");
-+ goto error;
-+ }
-+
-+ BIO_free(in);
-+ return x;
-+
-+error:
-+ if (NULL != x) X509_free(x);
-+ if (NULL != in) BIO_free(in);
-+ return NULL;
-+}
-+
-+static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
-+ BIO *in;
-+ EVP_PKEY *x = NULL;
-+
-+ in=BIO_new(BIO_s_file());
-+ if (NULL == in) {
-+ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed");
-+ goto error;
-+ }
-+
-+ if (BIO_read_filename(in,file) <= 0) {
-+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
-+ goto error;
-+ }
-+ x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
-+
-+ if (NULL == x) {
-+ log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'");
-+ goto error;
-+ }
-+
-+ BIO_free(in);
-+ return x;
-+
-+error:
-+ if (NULL != x) EVP_PKEY_free(x);
-+ if (NULL != in) BIO_free(in);
-+ return NULL;
-+}
-+
-+static int network_openssl_load_pemfile(server *srv, size_t ndx) {
-+ specific_config *s = srv->config_storage[ndx];
-+
-+#ifdef OPENSSL_NO_TLSEXT
-+ {
-+ data_config *dc = (data_config *)srv->config_context->data[i];
-+ if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ))
-+ || !s->ssl_enabled) {
-+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
-+ "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
-+ return -1;
-+ }
-+ }
-+#endif
-+
-+ if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
-+ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
-+
-+ if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
-+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
-+ "Private key does not match the certificate public key, reason:",
-+ ERR_error_string(ERR_get_error(), NULL),
-+ s->ssl_pemfile);
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+#endif
-+
- int network_init(server *srv) {
- buffer *b;
-- size_t i;
-+ size_t i, j;
- network_backend_t backend;
-
- #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-@@ -580,18 +697,7 @@ int network_init(server *srv) {
- long ssloptions =
- SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
-
-- if (buffer_is_empty(s->ssl_pemfile)) continue;
--
--#ifdef OPENSSL_NO_TLSEXT
-- {
-- data_config *dc = (data_config *)srv->config_context->data[i];
-- if (COMP_HTTP_HOST == dc->comp) {
-- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
-- "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
-- return -1;
-- }
-- }
--#endif
-+ if (buffer_is_empty(s->ssl_pemfile) && buffer_is_empty(s->ssl_ca_file)) continue;
-
- if (srv->ssl_is_init == 0) {
- SSL_load_error_strings();
-@@ -606,6 +712,29 @@ int network_init(server *srv) {
- }
- }
-
-+ if (!buffer_is_empty(s->ssl_pemfile)) {
-+#ifdef OPENSSL_NO_TLSEXT
-+ data_config *dc = (data_config *)srv->config_context->data[i];
-+ if (COMP_HTTP_HOST == dc->comp) {
-+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
-+ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
-+ return -1;
-+ }
-+#endif
-+ if (network_openssl_load_pemfile(srv, i)) return -1;
-+ }
-+
-+
-+ if (!buffer_is_empty(s->ssl_ca_file)) {
-+ s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
-+ if (NULL == s->ssl_ca_file_cert_names) {
-+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-+ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
-+ }
-+ }
-+
-+ if (buffer_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
-+
- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
- ERR_error_string(ERR_get_error(), NULL));
-@@ -721,45 +850,42 @@ int network_init(server *srv) {
- #endif
- #endif
-
-- if (!buffer_is_empty(s->ssl_ca_file)) {
-- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
-- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
-- return -1;
-- }
-- if (s->ssl_verifyclient) {
-- STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
-- if (!certs) {
-+ /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
-+ for (j = 0; j < srv->config_context->used; j++) {
-+ specific_config *s1 = srv->config_storage[j];
-+
-+ if (!buffer_is_empty(s1->ssl_ca_file)) {
-+ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) {
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
-- }
-- if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
-- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
-- ERR_error_string(ERR_get_error(), NULL));
-+ ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file);
- return -1;
- }
-- SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
-- SSL_CTX_set_verify(
-- s->ssl_ctx,
-- SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
-- NULL
-+ }
-+ }
-+
-+ if (s->ssl_verifyclient) {
-+ if (NULL == s->ssl_ca_file_cert_names) {
-+ log_error_write(srv, __FILE__, __LINE__, "s",
-+ "SSL: You specified ssl.verifyclient.activate but no ca_file"
- );
-- SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
-+ return -1;
- }
-- } else if (s->ssl_verifyclient) {
-- log_error_write(
-- srv, __FILE__, __LINE__, "s",
-- "SSL: You specified ssl.verifyclient.activate but no ca_file"
-+ SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
-+ SSL_CTX_set_verify(
-+ s->ssl_ctx,
-+ SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
-+ NULL
- );
-+ SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
- }
-
-- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
-+ if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
- return -1;
- }
-
-- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
-+ if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) {
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
- return -1;
-@@ -856,7 +982,6 @@ int network_init(server *srv) {
- for (i = 1; i < srv->config_context->used; i++) {
- data_config *dc = (data_config *)srv->config_context->data[i];
- specific_config *s = srv->config_storage[i];
-- size_t j;
-
- /* not our stage */
- if (COMP_SERVER_SOCKET != dc->comp) continue;
-diff --git a/src/server.c b/src/server.c
-index a779928..1eb68b6 100644
---- a/src/server.c
-+++ b/src/server.c
-@@ -314,6 +314,9 @@ static void server_free(server *srv) {
- buffer_free(s->ssl_verifyclient_username);
- #ifdef USE_OPENSSL
- SSL_CTX_free(s->ssl_ctx);
-+ EVP_PKEY_free(s->ssl_pemfile_pkey);
-+ X509_free(s->ssl_pemfile_x509);
-+ if (NULL != s->ssl_ca_file_cert_names) sk_X509_NAME_pop_free(s->ssl_ca_file_cert_names, X509_NAME_free);
- #endif
- free(s);
- }
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 08a97ee208..375f934dba 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -5,7 +5,7 @@
################################################################################
LIGHTTPD_VERSION_MAJOR = 1.4
-LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).33
+LIGHTTPD_VERSION = $(LIGHTTPD_VERSION_MAJOR).34
LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3c