Debian Bug report logs -
#469307
lighttpd: CVE-2008-1111 reveals cgi source if the cgi handler fork fails
Reported by: Nico Golde <nion@debian.org>
Date: Tue, 4 Mar 2008 15:39:02 UTC
Severity: important
Tags: patch, security
Found in version lighttpd/1.4.13-4etch4
Fixed in versions lighttpd/1.4.18-3, lighttpd/1.4.18-4
Done: Pierre Habouzit <madcoder@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#469307; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: lighttpd
Version: 1.4.13-4etch4
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lighttpd.
CVE-2008-1111[0]:
mod_cgi in lighttpd is going to send the source of a cgi
script if forking the cgi handler fails for some reason. it
should result in a 500 instead.
The default installation of Debian is not affected as it
does not include the mod_cgi configuration but this should
be fixed anyway.
You can find a patch for this on:
http://trac.lighttpd.net/trac/changeset/2107
Note the CVE id is not yet available on the mitre site but
it will be soon hopefully.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#469307; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 469307@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.18.1
#
# lighttpd (1.4.18-3) UNRELEASED; urgency=low
#
# * Add sample configuration for the mod_rrdtool (Closes: 462907).
# * add patches/06_mod_cgi_vuln_fix.dpatch to fix CVE-2008-1111
# (Closes: 469307).
# * Remove spurious mkdir in debian/rules (Closes: 448160).
package lighttpd-mod-webdav lighttpd lighttpd-mod-magnet lighttpd-mod-trigger-b4-dl lighttpd-doc lighttpd-mod-cml lighttpd-mod-mysql-vhost
tags 469307 + pending
tags 462907 + pending
tags 448160 + pending
Tags added: pending
Request was from Pierre Habouzit <madcoder@debian.org>
to control@bugs.debian.org.
(Sat, 08 Mar 2008 16:36:12 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#469307; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #17 received at 469307@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.18.1
#
# lighttpd (1.4.18-3) unstable; urgency=high
#
# * Add sample configuration for the mod_rrdtool (Closes: 462907).
# * add patches/06_mod_cgi_vuln_fix.dpatch to fix CVE-2008-1111
# (Closes: 469307).
# * Remove spurious mkdir in debian/rules (Closes: 448160).
#
package lighttpd-mod-webdav lighttpd lighttpd-mod-magnet lighttpd-mod-trigger-b4-dl lighttpd-doc lighttpd-mod-cml lighttpd-mod-mysql-vhost
tags 469307 + pending
tags 462907 + pending
tags 448160 + pending
Tags added: pending
Request was from Pierre Habouzit <madcoder@debian.org>
to control@bugs.debian.org.
(Sat, 08 Mar 2008 16:48:11 GMT) (full text, mbox, link).
Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 469307-close@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Source-Version: 1.4.18-3
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.18-3_all.deb
to pool/main/l/lighttpd/lighttpd-doc_1.4.18-3_all.deb
lighttpd-mod-cml_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-cml_1.4.18-3_amd64.deb
lighttpd-mod-magnet_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-magnet_1.4.18-3_amd64.deb
lighttpd-mod-mysql-vhost_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.18-3_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.18-3_amd64.deb
lighttpd-mod-webdav_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-webdav_1.4.18-3_amd64.deb
lighttpd_1.4.18-3.diff.gz
to pool/main/l/lighttpd/lighttpd_1.4.18-3.diff.gz
lighttpd_1.4.18-3.dsc
to pool/main/l/lighttpd/lighttpd_1.4.18-3.dsc
lighttpd_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd_1.4.18-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 469307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 08 Mar 2008 17:30:03 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source all amd64
Version: 1.4.18-3
Distribution: unstable
Urgency: high
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description:
lighttpd - A fast webserver with minimal memory footprint
lighttpd-doc - Documentation for lighttpd
lighttpd-mod-cml - Cache meta language module for lighttpd
lighttpd-mod-magnet - Control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 448160 462907 463368 469307
Changes:
lighttpd (1.4.18-3) unstable; urgency=high
.
* Force use of deprecated ldap interfaces (Closes: 463368),
thanks to Dann Frazier (patches/ldap-deprecated.dpatch).
* Add sample configuration for the mod_rrdtool (Closes: 462907).
* add patches/06_mod_cgi_vuln_fix.dpatch to fix CVE-2008-1111
(Closes: 469307).
* Remove spurious mkdir in debian/rules (Closes: 448160).
* Bump urgency for RC bug fixes.
Files:
fc1f9a0e00abcd2da2e3702bf6ea74c2 1254 web optional lighttpd_1.4.18-3.dsc
0af5ecf8d8ab3a9b65a24eb744204a1f 30793 web optional lighttpd_1.4.18-3.diff.gz
35fb1a9eb035aaeb988234d23f115bbb 101980 doc optional lighttpd-doc_1.4.18-3_all.deb
218087db4dbb8c461a1d3b2250e36704 312112 web optional lighttpd_1.4.18-3_amd64.deb
b419be5a4460c29a2f75e799d62ae27d 63084 web optional lighttpd-mod-mysql-vhost_1.4.18-3_amd64.deb
030d551553a6f6e0d4f382522bda981e 64738 web optional lighttpd-mod-trigger-b4-dl_1.4.18-3_amd64.deb
b9e59c5dc32e3c383f9811551ba88933 68082 web optional lighttpd-mod-cml_1.4.18-3_amd64.deb
76519c4f52c5df3099fa4bdf1551e0f4 67770 web optional lighttpd-mod-magnet_1.4.18-3_amd64.deb
0d36b9dab714c226dadbc0f3a3d9c806 74760 web optional lighttpd-mod-webdav_1.4.18-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH0r+lvGr7W6HudhwRAhoxAJsEtpRXGEKqr/CShxdNuNOyHsKYVACfWmWv
ZQ0yigamzYekx1oXe05kdKI=
=v69q
-----END PGP SIGNATURE-----
Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 469307-close@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Source-Version: 1.4.18-4
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.18-4_all.deb
to pool/main/l/lighttpd/lighttpd-doc_1.4.18-4_all.deb
lighttpd-mod-cml_1.4.18-4_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-cml_1.4.18-4_amd64.deb
lighttpd-mod-magnet_1.4.18-4_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-magnet_1.4.18-4_amd64.deb
lighttpd-mod-mysql-vhost_1.4.18-4_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.18-4_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.18-4_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.18-4_amd64.deb
lighttpd-mod-webdav_1.4.18-4_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-webdav_1.4.18-4_amd64.deb
lighttpd_1.4.18-4.diff.gz
to pool/main/l/lighttpd/lighttpd_1.4.18-4.diff.gz
lighttpd_1.4.18-4.dsc
to pool/main/l/lighttpd/lighttpd_1.4.18-4.dsc
lighttpd_1.4.18-4_amd64.deb
to pool/main/l/lighttpd/lighttpd_1.4.18-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 469307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 11 Mar 2008 10:07:35 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source all amd64
Version: 1.4.18-4
Distribution: unstable
Urgency: high
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description:
lighttpd - A fast webserver with minimal memory footprint
lighttpd-doc - Documentation for lighttpd
lighttpd-mod-cml - Cache meta language module for lighttpd
lighttpd-mod-magnet - Control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 463368 469307
Changes:
lighttpd (1.4.18-4) unstable; urgency=high
.
* The “I HATE DPATCH”-release.
* Add patches for real as dpatch-edit-patch is stupid enough for not doing
it by itself (Closes: 463368, 469307).
Files:
c958205b3f6d64bc4f37a235858ca04d 1254 web optional lighttpd_1.4.18-4.dsc
cdcf4dc4f98484ded77ed2bf07376657 30891 web optional lighttpd_1.4.18-4.diff.gz
83a9daf6486ff3f5d2722efdcdfec9bd 102104 doc optional lighttpd-doc_1.4.18-4_all.deb
ddf6e04cb160cee4021250b340d0e867 315220 web optional lighttpd_1.4.18-4_amd64.deb
921f9cb3a4c12c0eb85ba44db84e3888 63190 web optional lighttpd-mod-mysql-vhost_1.4.18-4_amd64.deb
527066d6ad06213905186b31d1ed1eb0 64872 web optional lighttpd-mod-trigger-b4-dl_1.4.18-4_amd64.deb
68920b38fff04a99f6df1b6219063f32 68344 web optional lighttpd-mod-cml_1.4.18-4_amd64.deb
959165161bac8eb36ec5f995ce2a1336 68014 web optional lighttpd-mod-magnet_1.4.18-4_amd64.deb
0bc6cd03a761ad5e12822d67452c8cf3 75068 web optional lighttpd-mod-webdav_1.4.18-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH1kyrvGr7W6HudhwRAk2KAKCc+RyyiMlDeZ6vxhBQAa9GXZXGmwCgpuIH
xGf4yhC9jQFAkg566bLbtx8=
=N7Ib
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 09 Apr 2008 07:26:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:10:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon