Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

lighttpd: SA_2014_01

Related Vulnerabilities: CVE-2014-2323   CVE-2014-2324   cve-2014-2323   cve-2014-2334  

Source

Debian Bug report logs - #741493
lighttpd: SA_2014_01

version graph

Package: src:lighttpd; Maintainer for src:lighttpd is Debian QA Group <packages@qa.debian.org>;

Reported by: Michael Gilbert <mgilbert@debian.org>

Date: Thu, 13 Mar 2014 00:39:02 UTC

Severity: serious

Found in version lighttpd/1.4.28-2

Fixed in versions lighttpd/1.4.31-4+deb7u3, lighttpd/1.4.33-1+nmu3, lighttpd/1.4.35-1

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#741493; Package src:lighttpd. (Thu, 13 Mar 2014 00:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Thu, 13 Mar 2014 00:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lighttpd: SA_2014_01
Date: Wed, 12 Mar 2014 20:35:35 -0400
package: src:lighttpd
severity: serious
version: 1.4.28-2
tag: security

lighttpd just released a security announcement:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt

This was assigned the following CVEs:
SQL injection - use CVE-2014-2323.
path traversal - use CVE-2014-2324.

Best wishes,
Mike

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Thu, 13 Mar 2014 01:51:16 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer. (Thu, 13 Mar 2014 01:51:17 GMT) (full text, mbox, link).

Message #10 received at 741493-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 741493-close@bugs.debian.org
Subject: Bug#741493: fixed in lighttpd 1.4.33-1+nmu3
Date: Thu, 13 Mar 2014 01:50:13 +0000
Source: lighttpd
Source-Version: 1.4.33-1+nmu3

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 741493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 13 Mar 2014 00:29:44 +0000
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.33-1+nmu3
Distribution: unstable
Urgency: high
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 741493
Changes: 
 lighttpd (1.4.33-1+nmu3) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team (closes: #741493).
   * Fix cve-2014-2323: mod_mysql_vhost SQL injection.
   * Fix cve-2014-2334: traversal through paths involving "[...]".
Checksums-Sha1: 
 084de4dbf78a27f6b418ec7e85cddeab6e467414 3396 lighttpd_1.4.33-1+nmu3.dsc
 ad837e956d686e090c2e7d5a1ac0c05ce12a5942 29300 lighttpd_1.4.33-1+nmu3.debian.tar.xz
 ee94bdb1d9ceca25a3e5d1397e51fd37a21ccce6 234332 lighttpd_1.4.33-1+nmu3_amd64.deb
 e9b57f1bd2783a3c13f4da3c54ac3fbd29f2d15f 60658 lighttpd-doc_1.4.33-1+nmu3_all.deb
 cecafc4bea7f8dfeed6fd67b3638f2bc90f61ad7 19210 lighttpd-mod-mysql-vhost_1.4.33-1+nmu3_amd64.deb
 6fd8072b7203238a784bf5487c25e18a394a8691 20456 lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu3_amd64.deb
 cda85e6e819a5612cd2db77c4449eaa120b7ce20 22946 lighttpd-mod-cml_1.4.33-1+nmu3_amd64.deb
 a272acbe051789ca32226a5e7a224c1941130d2d 23784 lighttpd-mod-magnet_1.4.33-1+nmu3_amd64.deb
 ad0e8ecab87786658d148ce972f589e39f07ec12 29224 lighttpd-mod-webdav_1.4.33-1+nmu3_amd64.deb
Checksums-Sha256: 
 697b630c7a00c4b6e7b5d0fa1085394c4c7f3a4e87a0e3d8d6fc918a606d0950 3396 lighttpd_1.4.33-1+nmu3.dsc
 1ef0ba4d3ec31a14e956a7d759ed4414228aee317d337a44a932016fc4620b8f 29300 lighttpd_1.4.33-1+nmu3.debian.tar.xz
 b88921c0e7ac9f5557fd0cddd0c33a8c6f8e3eb99c8fa727ab5c1cd7eaf57dc0 234332 lighttpd_1.4.33-1+nmu3_amd64.deb
 8e9ce06f76b7566ae5ca2923c589687e3b724bcfca0dd95c320df1525d009605 60658 lighttpd-doc_1.4.33-1+nmu3_all.deb
 a88435d687f072d566d0a59739cd547d5bf9743f13c4b55f9ffff1bc68d00cc1 19210 lighttpd-mod-mysql-vhost_1.4.33-1+nmu3_amd64.deb
 ce1bbc904b4b2fc2fd7e54a6dab990251b007d7e25c15270e9bd1a4b726b362a 20456 lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu3_amd64.deb
 9646b8a76e237b951dd46bd20eb00d8c160e1154870894931e47e3c56b61cc18 22946 lighttpd-mod-cml_1.4.33-1+nmu3_amd64.deb
 5221e84df733d06450902dfa6d69d324eb87e296bffd57f432960851375914ed 23784 lighttpd-mod-magnet_1.4.33-1+nmu3_amd64.deb
 42514fcf635e50eaf191341e1542d0fbcbc0db862d864bbadfa6dc55072d5b68 29224 lighttpd-mod-webdav_1.4.33-1+nmu3_amd64.deb
Files: 
 cbefa19c46a409cab59c65bfaf70853c 3396 httpd optional lighttpd_1.4.33-1+nmu3.dsc
 c8667e73921f7f4020decb548e857b4e 29300 httpd optional lighttpd_1.4.33-1+nmu3.debian.tar.xz
 ab33c4610ec884908886ee84ecae3d52 234332 httpd optional lighttpd_1.4.33-1+nmu3_amd64.deb
 76536d345e7779200882531fabe77d9e 60658 doc optional lighttpd-doc_1.4.33-1+nmu3_all.deb
 da1ccf0ff80594ad85490242b21936f2 19210 httpd optional lighttpd-mod-mysql-vhost_1.4.33-1+nmu3_amd64.deb
 c199ada5a689bc7ec1d808632e4b5548 20456 httpd optional lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu3_amd64.deb
 f69cf0d989947d058e1a94e5dd23d9a1 22946 httpd optional lighttpd-mod-cml_1.4.33-1+nmu3_amd64.deb
 6f985981132541e163c6c6b1bc88c36c 23784 httpd optional lighttpd-mod-magnet_1.4.33-1+nmu3_amd64.deb
 29d20e5174281b664c3db091bc2c8df9 29224 httpd optional lighttpd-mod-webdav_1.4.33-1+nmu3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJTIQqIAAoJELjWss0C1vRzN38gAL30NFxSNf+wClZqDo5y7iDA
GnM0UuCY9Xb9gRAna2krSnaSz/tjaldDRIaJnCWvRVWlaL9J0TAFVGnYqRWjduDT
VTeHEvUnLP08orZaMgxAdkIb5pc3BoHQ+7cUaWC0NiV9SAI7L1mjePApzASU43b3
IDKGJMF4+uxsgj+1zaIBcatHCV7F3g87deRlWtyUEwDYLH/Qmg5/WGtOEtYqHVxK
jFEszKJyznzivmwPiaLs0xcfpvFa7Kx7Rf+KD4aNxB/1RLYzM9KwE17Sz0F0cRHA
8nIwns69Xam/NhdGevBmDMsvoE16yD+UEAdHZ2//Y4WgwYJoI7hkVgrRMyCi3+10
Lp7+N60Q7BDfozLi/fkbpzk9z4Vxecy+WmRtQmm8Uf90qamO+7Tx/qxFDc18G3lg
aXXr7qQv8kC49dLuD23hkQZjTlrTlkP7VUi95KvhxfpyfkQbT4Iz2uRB9qjY0ZeL
oiS7Qo9P7CDwO/Z6TKz8w0IcsW7F+kAOcKbH9e/84tRcreodK6c7RrLn4wWmYov7
nJqLX4cU3ctzilrcrrcubu4lLTU47FyyT19N0/782NQrvypGtSPNnL13J+nkseq6
CW4ZPQQas4yl8uoi8/iyBj641GRvfPATt2NFh5eObQJ4lIEMyChNHESXTvzyQQ3i
3X6to2icw71WEirwY5QwLSlqPj2J5CGs+QEgykJemWqrb3xiN4xEg6A2wr0x0+dW
X/ldyUrIlMzpofadyfNa1W1hIUyPBSB71qqWoSjqkJb1ypTqj4o9cw++vgmVBWCd
YnJGd/ge68tQO/eFTL4QypfZBadGQDR21aKfm6KUHsVmKeETnYylYt9eoU04srWl
RrNqfmAmpL/0UP1WNU22hbrEh4OwoIYwgQSoQW8F08HcByOkBzhCUDQ5qzdv0zKi
kr5Q/Zvh/wGyf4Kl5j56mBrpJ0EwBWG+vBd8qUwUigLrauaQMb5+GG8ZYg23RjO7
TZeAnSOF//S63n5IAICsw4UJ4SBIaeurUMlpTI4yETaxMcagqXuY4gIHGseOmmkL
YcwpcdM1lc9ZmqOsH0UGBHK73O3FUMuYH2kakEeOi5OSR8n5jIbOnSQjJG4ltJR/
XhCLc/+ib+4i+gPpvswjKC+04f/TO7Y3ThpTm5vaPvtPzwFto8NlsN5hdENDQRm4
bhQqErxyqBkPBilHaf1RnXVJjM3yNJAf98H+K75fPMMK8xwRnHl2T1Id3nFpvoeP
SUVt3z6DjxQZRZVYsYgIyDVEpwbBJYzrJ9VrfOUku2brACOrmM0jR24q/DVNIfFT
/yLG0rzJc9fnzb7SGEL4JJ4wGyiH4Sh+OKT0wHYCAlnAcRHuN1B/O9M0mcnBdX0=
=Ze0i
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#741493; Package src:lighttpd. (Sun, 16 Mar 2014 22:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Sun, 16 Mar 2014 22:57:08 GMT) (full text, mbox, link).

Message #15 received at 741493@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 741493@bugs.debian.org
Subject: Re: Bug#741493: lighttpd: SA_2014_01
Date: Sun, 16 Mar 2014 18:52:07 -0400
[Message part 1 (text/plain, inline)]
Hi, here is the patch for the security upload.

Best wishes,
Mike

[lighttpd.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#741493; Package src:lighttpd. (Sun, 16 Mar 2014 23:51:09 GMT) (full text, mbox, link).

Acknowledgement sent to Stefan Bühler <stbuehler@lighttpd.net>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Sun, 16 Mar 2014 23:51:09 GMT) (full text, mbox, link).

Message #20 received at 741493@bugs.debian.org (full text, mbox, reply):

From: Stefan Bühler <stbuehler@lighttpd.net>
To: Michael Gilbert <mgilbert@debian.org>, 741493@bugs.debian.org
Subject: Re: Bug#741493: lighttpd: SA_2014_01
Date: Mon, 17 Mar 2014 00:39:08 +0100
Hi!

On Sun, 16 Mar 2014 18:52:07 -0400
Michael Gilbert <mgilbert@debian.org> wrote:

> Hi, here is the patch for the security upload.
> 
> Best wishes,
> Mike

a) I'd treat it as one patch. In any case the hostname patch fixes both
CVE ids - assigning it to only the path traversal just isn't right.
(I'm not happy with two ids anyway, but splitting the patch only makes
it worse.)

b) If you can't copy utf8 chars, s/ü/ue/, s/ä/ae/, s/ö/oe/ :)

regards,
Stefan Bühler

Marked as fixed in versions lighttpd/1.4.35-1. Request was from Ivo De Decker <ivo.dedecker@ugent.be> to control@bugs.debian.org. (Sun, 30 Mar 2014 15:42:05 GMT) (full text, mbox, link).

Marked as fixed in versions lighttpd/1.4.31-4+deb7u3. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Mon, 13 Oct 2014 02:21:11 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Nov 2014 07:33:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:38:59 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started