Debian Bug report logs -
#434888
Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
Reported by: Adam Majer <adamm@zombino.com>
Date: Fri, 27 Jul 2007 14:15:01 UTC
Severity: critical
Tags: security
Fixed in version 1.4.16-1
Done: Pierre Habouzit <madcoder@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Adam Majer <adamm@zombino.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lighttpd
Severity: critical
Tags: security
Upstream patches from Trac seem to be available from upstream.
>From http://secunia.com/advisories/26130/
DESCRIPTION:
Some vulnerabilities have been reported in lighttpd, which can be
exploited by malicious people to bypass certain security restrictions
or cause a DoS (Denial of Service).
1) An error in the processing of HTTP headers can be exploited to
cause a DoS by sending duplicate HTTP headers with a trailing
whitespace character.
2) An error in mod_auth can be exploited to cause a DoS by sending
requests with the algorithm set to "MD5-sess" and without a cnonce.
3) An error when parsing Auth-Digest headers in mod_auth can
potentially be exploited to cause a DoS by sending multiple
whitespace characters.
4) An error exists in the mechanism that limits the number of active
connections. This can be exploited to cause a DoS.
5) An error exists in the processing of HTTP requests. This can be
exploited to access restricted files by adding a "/" to an URL.
6) An error exists in mod_scgi. This can be exploited to cause a DoS
by sending a SCGI request and closing the connection while lighttpd
processes the request.
The vulnerabilities are reported in lighttpd-1.4.15. Previous
versions may also be affected.
SOLUTION:
Fixed in the developer branch.
1) http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869
2), 3)
http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875
4) http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
5) http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871
6) http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
ORIGINAL ADVISORY:
1) http://trac.lighttpd.net/trac/ticket/1232
2, 3) http://trac.lighttpd.net/trac/changeset/1875
4) http://trac.lighttpd.net/trac/ticket/1216
5) http://trac.lighttpd.net/trac/ticket/1230
6) http://trac.lighttpd.net/trac/ticket/1263
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (900, 'unstable'), (5, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-rc1 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 434888@bugs.debian.org (full text, mbox, reply):
On Fri Jul 27, 2007 at 09:11:48 -0500, Adam Majer wrote:
> Package: lighttpd
> Severity: critical
> Tags: security
>
> Upstream patches from Trac seem to be available from upstream.
Still waiting on CVE IDs. I can upload without them, but I'd
rather not ..
Steve
--
Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Adam Majer <adamm@zombino.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 434888-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.4.16-1
On Fri, Jul 27, 2007 at 09:11:48AM -0500, Adam Majer wrote:
> Package: lighttpd
> Severity: critical
> Tags: security
>
> Upstream patches from Trac seem to be available from upstream.
>
> >From http://secunia.com/advisories/26130/
>
> DESCRIPTION:
> Some vulnerabilities have been reported in lighttpd, which can be
> exploited by malicious people to bypass certain security restrictions
> or cause a DoS (Denial of Service).
>
> 1) An error in the processing of HTTP headers can be exploited to
> cause a DoS by sending duplicate HTTP headers with a trailing
> whitespace character.
>
> 2) An error in mod_auth can be exploited to cause a DoS by sending
> requests with the algorithm set to "MD5-sess" and without a cnonce.
>
> 3) An error when parsing Auth-Digest headers in mod_auth can
> potentially be exploited to cause a DoS by sending multiple
> whitespace characters.
>
> 4) An error exists in the mechanism that limits the number of active
> connections. This can be exploited to cause a DoS.
>
> 5) An error exists in the processing of HTTP requests. This can be
> exploited to access restricted files by adding a "/" to an URL.
>
> 6) An error exists in mod_scgi. This can be exploited to cause a DoS
> by sending a SCGI request and closing the connection while lighttpd
> processes the request.
>
> The vulnerabilities are reported in lighttpd-1.4.15. Previous
> versions may also be affected.
>
> SOLUTION:
> Fixed in the developer branch.
>
> 1) http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869
> 2), 3)
> http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875
> 4) http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
> 5) http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871
> 6) http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
>
> ORIGINAL ADVISORY:
> 1) http://trac.lighttpd.net/trac/ticket/1232
> 2, 3) http://trac.lighttpd.net/trac/changeset/1875
> 4) http://trac.lighttpd.net/trac/ticket/1216
> 5) http://trac.lighttpd.net/trac/ticket/1230
> 6) http://trac.lighttpd.net/trac/ticket/1263
>
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers unstable
> APT policy: (900, 'unstable'), (5, 'experimental')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.22-rc1 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
>
> _______________________________________________
> pkg-lighttpd-maintainers mailing list
> pkg-lighttpd-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-lighttpd-maintainers
--
·O· Pierre Habouzit
··O madcoder@debian.org
OOO http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Adam Majer <adamm@zombino.com>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #20 received at 434888@bugs.debian.org (full text, mbox, reply):
What about Etch?
Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> #434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950],
> which was filed against the lighttpd package.
>
> It has been closed by Pierre Habouzit <madcoder@debian.org>.
>
> Their explanation is attached below. If this explanation is
> unsatisfactory and you have not received a better one in a separate
> message then please contact Pierre Habouzit <madcoder@debian.org> by replying
> to this email.
>
> Debian bug tracking system administrator
> (administrator, Debian Bugs database)
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [pkg-lighttpd] Bug#434888: Multiple vulnerabilities [CVE-2007-3946]
> [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
> From:
> Pierre Habouzit <madcoder@debian.org>
> Date:
> Fri, 27 Jul 2007 17:39:40 +0200
> To:
> 434888-done@bugs.debian.org
>
> To:
> 434888-done@bugs.debian.org
>
>
> Version: 1.4.16-1
>
> On Fri, Jul 27, 2007 at 09:11:48AM -0500, Adam Majer wrote:
>> Package: lighttpd
>> Severity: critical
>> Tags: security
>>
>> Upstream patches from Trac seem to be available from upstream.
>>
>> >From http://secunia.com/advisories/26130/
>>
>> DESCRIPTION:
>> Some vulnerabilities have been reported in lighttpd, which can be
>> exploited by malicious people to bypass certain security restrictions
>> or cause a DoS (Denial of Service).
>>
>> 1) An error in the processing of HTTP headers can be exploited to
>> cause a DoS by sending duplicate HTTP headers with a trailing
>> whitespace character.
>>
>> 2) An error in mod_auth can be exploited to cause a DoS by sending
>> requests with the algorithm set to "MD5-sess" and without a cnonce.
>>
>> 3) An error when parsing Auth-Digest headers in mod_auth can
>> potentially be exploited to cause a DoS by sending multiple
>> whitespace characters.
>>
>> 4) An error exists in the mechanism that limits the number of active
>> connections. This can be exploited to cause a DoS.
>>
>> 5) An error exists in the processing of HTTP requests. This can be
>> exploited to access restricted files by adding a "/" to an URL.
>>
>> 6) An error exists in mod_scgi. This can be exploited to cause a DoS
>> by sending a SCGI request and closing the connection while lighttpd
>> processes the request.
>>
>> The vulnerabilities are reported in lighttpd-1.4.15. Previous
>> versions may also be affected.
>>
>> SOLUTION:
>> Fixed in the developer branch.
>>
>> 1) http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869
>> 2), 3)
>> http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875
>> 4) http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
>> 5) http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871
>> 6) http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
>>
>> ORIGINAL ADVISORY:
>> 1) http://trac.lighttpd.net/trac/ticket/1232
>> 2, 3) http://trac.lighttpd.net/trac/changeset/1875
>> 4) http://trac.lighttpd.net/trac/ticket/1216
>> 5) http://trac.lighttpd.net/trac/ticket/1230
>> 6) http://trac.lighttpd.net/trac/ticket/1263
>>
>>
>> -- System Information:
>> Debian Release: lenny/sid
>> APT prefers unstable
>> APT policy: (900, 'unstable'), (5, 'experimental')
>> Architecture: i386 (i686)
>>
>> Kernel: Linux 2.6.22-rc1 (SMP w/2 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/bash
>>
>>
>> _______________________________________________
>> pkg-lighttpd-maintainers mailing list
>> pkg-lighttpd-maintainers@lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/pkg-lighttpd-maintainers
>
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #25 received at 434888@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Jul 27, 2007 at 03:45:29PM -0500, Adam Majer wrote:
> What about Etch?
this was a versionned close, that affects unstable. The security team
(like you could have read at least 3 or 4 times in the BTS if you really
cared) is already working on an upload, and are waiting for the
remaining CVEs to upload.
IOW: be patient.
--
·O· Pierre Habouzit
··O madcoder@debian.org
OOO http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Sep 2007 07:34:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:10:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon