Debian Bug report logs -
#652726
CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67
Reported by: Mahyuddin Susanto <udienz@ubuntu.com>
Date: Tue, 20 Dec 2011 10:12:23 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Fixed in version lighttpd/1.4.30-1
Done: Arno Töll <debian@toell.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#652726; Package src:lighttpd.
(Tue, 20 Dec 2011 10:12:26 GMT) (full text, mbox, link).
Acknowledgement sent
to Mahyuddin Susanto <udienz@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
Your message had a Version: pseudo-header with an invalid package
version:
1.4.29-1, 1.4.28-2, 1.4.19-5+lenny2
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(Tue, 20 Dec 2011 10:12:30 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Version: 1.4.29-1, 1.4.28-2, 1.4.19-5+lenny2
Severity: grave
Tags: security upstream fixed-upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Security bug has been discovered in lighttpd:
DoS because of incorrect code in src/http_auth.c:67
This is CVE-2011-4362. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4362
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4362
Upstream bug:
http://redmine.lighttpd.net/issues/2370
Upstream has providing patch:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
Would you please fixed packages for lenny and squeeze?
- -- System Information:
Debian Release: wheezy/sid
APT prefers experimental
APT policy: (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJO8F8AAAoJELmHbrCQs2xbxrwQAJ3Po5x92JYCCEtizufW3vDr
VCYJn86vuWXrn1h501SRljbALepDijJHjMXNHPZsavs4h6IDMoLaFYBWrfS97yLy
x1QetOxraG5Oso++LGItGi477W4W7KQf8UlO6TvRDBk+ccupS9MQrQYOZRYUcLvs
owgGOoM9N/z0TxxQmL8vHZtgOUeX8inFS2absB2lfZNRX8W56sLgVDRqhODMB2a7
+HqFvQgTDELi6ccYc51bZRNMO/2vHDE4ISowXeiDavrMbpLEqUwgxnItz9Cd4epj
WW9x43+SwEEwal8NObEAyv1qyhTfNaJWuR23wbn/Fd8pXPJ/3NTmyR+JamfRDzn8
jOy6b3LUVxQEjqY3QvDHOGLgFJFn8NXSm0Xd1Wb8th9UgnTJxSka5rysOs2+OV4c
LcXGXwbNV23H7x+n3aCYsuIyczhhqPO6zjFbi0saEWjSEkxD3Mf2My2Q3LKFH+fH
sVzolQSwLfMrqgxMO/tVKpV4gqQLIl/R5x7Qe3SPKoflEBovmjTVD3bqqGeP4+6b
EUz+pxphC4ruWPbOQkcFPBT7TpAwBHxHQjMebSSeOtpoLgtRhBq1TlKKGmvSSUmL
LYo7e5zFEIEmUETkRu3WlkSp8sMybza6SHlQNLkZKdh7xfTu1MpvWURe67P7zLGj
YV58hUsZzLxO4N5Q6oY5
=g3I9
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Arno Töll <debian@toell.net>
to control@bugs.debian.org.
(Tue, 20 Dec 2011 10:18:55 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#652726; Package src:lighttpd.
(Tue, 20 Dec 2011 10:39:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <debian@toell.net>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(Tue, 20 Dec 2011 10:39:14 GMT) (full text, mbox, link).
Message #12 received at 652726@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Mahyuddin,
On 20.12.2011 11:10, Mahyuddin Susanto wrote:
> Security bug has been discovered in lighttpd:
> DoS because of incorrect code in src/http_auth.c:67
we already prepared an updated version and backported the fixes to
Stable and Oldstable. A DSA denoting updated packages is due later today.
- --
with kind regards, Arno Töll
IRC: daemonkeeper on Freenode/OFTC GnuPG
Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJO8GS7AAoJEMcrUe6dgPNtv2cQAL/mgIYzgrrvkTNrlPfxX5Oe
DFLrkM4Nnoms2ZRGq2i4tRdLconBui7G/2F3uVswxq+s6QJg/hbvAy1MGyZX1JEn
2Pr+3e4kNVTU30xYNs1L5XiS3Ut8hAPNTsGiPPTh4fQgEwur0QHMnvkz+An44T1x
LufQdRSNO0nSY/00pJL52A2gpgMLzllgNrio66ByCQhaJp/d72FzVPgxWLkMD4Jc
wfiowMZZln/ycF/rURt/UT4Q7Ruc/NWrdg15lyowbyUgEtUtGZMlo8LR8+eML9H1
Zo/qrYK+9u8fU8TOwfH2cuQRVqxiNahncNk0sYfrsZlHmNdBvFmVI3igNeolmSnF
SEJdk+SDvY3T9/WUpvNsIm2htzKyniK4Pj0OZBvtd6lHD9ElIdXo0SV9qjTqS3di
zmwpp72q/ah91oeL2YP0OB8Uya8Yrsm0Yr4tzh4P7ou2gTVJhqiTTA3ETUOb0pzD
+kHG58n2qRAcV2grJlmK0O2daRAAazqugWO+IO8o1vB5iQvJkmtUd2N0O+IOdY2y
GbsC9hXU7d3R10pq7FvhR2iwqlKFE/o9ppkNLWKQQHpGDKBCNySJ1oSDifA9lTHE
B8xo1D9SdcHDyEfnBxruBUUVSMIwY4Xm6bxCSZU++vVvezozcv0aicNR9AEwmmJr
EgXYW3UHPoJ9PvOVhBuy
=YNzq
-----END PGP SIGNATURE-----
Reply sent
to Arno Töll <debian@toell.net>:
You have taken responsibility.
(Tue, 20 Dec 2011 20:54:08 GMT) (full text, mbox, link).
Notification sent
to Mahyuddin Susanto <udienz@ubuntu.com>:
Bug acknowledged by developer.
(Tue, 20 Dec 2011 20:54:08 GMT) (full text, mbox, link).
Message #17 received at 652726-close@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Source-Version: 1.4.30-1
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.30-1_all.deb
to main/l/lighttpd/lighttpd-doc_1.4.30-1_all.deb
lighttpd-mod-cml_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-cml_1.4.30-1_amd64.deb
lighttpd-mod-magnet_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-magnet_1.4.30-1_amd64.deb
lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
lighttpd-mod-webdav_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-webdav_1.4.30-1_amd64.deb
lighttpd_1.4.30-1.debian.tar.gz
to main/l/lighttpd/lighttpd_1.4.30-1.debian.tar.gz
lighttpd_1.4.30-1.dsc
to main/l/lighttpd/lighttpd_1.4.30-1.dsc
lighttpd_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd_1.4.30-1_amd64.deb
lighttpd_1.4.30.orig.tar.gz
to main/l/lighttpd/lighttpd_1.4.30.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 652726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arno Töll <debian@toell.net> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 Dec 2011 11:36:09 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.30-1
Distribution: unstable
Urgency: medium
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Arno Töll <debian@toell.net>
Description:
lighttpd - fast webserver with minimal memory footprint
lighttpd-doc - documentation for lighttpd
lighttpd-mod-cml - cache meta language module for lighttpd
lighttpd-mod-magnet - control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 642494 652442 652726
Changes:
lighttpd (1.4.30-1) unstable; urgency=medium
.
* New upstream release
+ Fix integer overflow (CVE-2011-4362) (Closes: #652726)
+ Fix attack vector as disclosed by the SSL BEAST attack (related:
CVE-2011-3389). Note: If you are upgrading from an older version you need
to change your configuration to mitigate effects of the attack. See the
corresponding NEWS file for details.
+ Count SSL renegotiations to prevent client renegotiations
* Urgency set to medium due to security updates.
* Adapt to dpkg 1.16.1 API changes regarding build flags. This enables
hardening build flags. This means, lighttpd is now being built with
-fstack-protector and other security related build flags.
* Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are
properly supported. That's guaranteed for Testing, but might be helpful to
know for backporters.
* Fix "Doesn't remove /etc/lighttpd on purge" by removing dangling symlinks
/only/. This does not entirely fix the problem of the maintainer, but we can
not simply remove all files in /etc/lighttpd as other packages or the user
himself might have left configuration files back (Closes: #642494)
* Fix "please include systemd service file" Support systemd as alternative to
sysvinit, ship systemd and tempfiles.d configuration files. Thanks to
Michael Stapelberg for providing the required files (Closes: #652442)
Checksums-Sha1:
25e55ae7ab00195a6f5855f8b02a6bbc919b835a 2021 lighttpd_1.4.30-1.dsc
4a59c237fe62b06365aecb3ad4139b8593a21829 834241 lighttpd_1.4.30.orig.tar.gz
9c99522ac226e32eace526ed355ace702f929c12 26429 lighttpd_1.4.30-1.debian.tar.gz
bcd077ec390a1845559a23b9b0447060ccd5067f 301500 lighttpd_1.4.30-1_amd64.deb
e6eb2332ed524c052d807388cc903a6efcc3dd1d 63030 lighttpd-doc_1.4.30-1_all.deb
98c95277a9cd91dc669a07794b14035dc3a5d2d8 19014 lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
ea89364a5c1e4818a498b12613643ac104289af0 20686 lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
48a946444101605cc5b6d6a123cfdf40407c162c 23872 lighttpd-mod-cml_1.4.30-1_amd64.deb
747c714113b658a34ffd1789d9b7494454d4aee2 25100 lighttpd-mod-magnet_1.4.30-1_amd64.deb
ce0bb4d29bfed4a22b8259fa3cb77d05b46da6ee 31358 lighttpd-mod-webdav_1.4.30-1_amd64.deb
Checksums-Sha256:
d478233c041d95a065710addc72c9cec7f64280806fe9e374c31a2f32870df94 2021 lighttpd_1.4.30-1.dsc
59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b 834241 lighttpd_1.4.30.orig.tar.gz
099a6c3023a8b36e9fcf23b74c241a6a82c745e4fcc55342055f9afa04d2c0da 26429 lighttpd_1.4.30-1.debian.tar.gz
cb28a965e8a1b05dd252d1f97944243207a8dde280889c7e9fd913673ae27ee9 301500 lighttpd_1.4.30-1_amd64.deb
e48ebe6760b1ba9d3fc669da8f5f7ce6345a1737eb3e791de9964decfa7fcd69 63030 lighttpd-doc_1.4.30-1_all.deb
d60dae9f7ebc0732cab30d058d49444e5c911539767979d07912483960066dd7 19014 lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
7446458aa023c31dba3d1747de83a30984a39606998d06ee876bfa4d6bb47f00 20686 lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
5599c32fc1f783f84fc68e4ba7451eee7787436ff6cedc8159fa784a23cbd334 23872 lighttpd-mod-cml_1.4.30-1_amd64.deb
de04387a8b4810695e77bf337b92f71c913bc297b95260ae4c8e10370d176197 25100 lighttpd-mod-magnet_1.4.30-1_amd64.deb
88656c99fc37bd524c2053e2fbd7d6db0ce1e93f891fe4401e5683653a0788dd 31358 lighttpd-mod-webdav_1.4.30-1_amd64.deb
Files:
025d6446ceb1f654f56fd33700482c8e 2021 httpd optional lighttpd_1.4.30-1.dsc
7f0bbb66a05099f634ea8f63af99cfed 834241 httpd optional lighttpd_1.4.30.orig.tar.gz
cc484f3f504c6aaf3bf934e3553d6329 26429 httpd optional lighttpd_1.4.30-1.debian.tar.gz
ce72c9d945b1876b7c84bb92c9f32ca7 301500 httpd optional lighttpd_1.4.30-1_amd64.deb
3dbd1826a4d630a2724c7794517a5df7 63030 doc optional lighttpd-doc_1.4.30-1_all.deb
6a21d70ad8343213f11f28228432e66c 19014 httpd optional lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
bf49a05a75e0568ad85179b74670d058 20686 httpd optional lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
f1d66686ab9c0f68c74e062ea09b9fe9 23872 httpd optional lighttpd-mod-cml_1.4.30-1_amd64.deb
96d31e3557a1b4bc23e129cb47f61957 25100 httpd optional lighttpd-mod-magnet_1.4.30-1_amd64.deb
0660ffdd2e1eb69fbb487b49c6ce8703 31358 httpd optional lighttpd-mod-webdav_1.4.30-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7w7DAACgkQHYflSXNkfP8G2gCbBXoTM3KXS9puD/C+slFGPJi+
Q9EAoLSJ3fM/Q5fPr/NnFLpplX/s8f5J
=W4o7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 29 Jan 2012 07:34:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon