Debian Bug report logs -
#729453
lighttpd: multiple security issues
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 13 Nov 2013 04:15:01 UTC
Severity: serious
Tags: patch
Found in version lighttpd/1.4.28-1
Fixed in versions lighttpd/1.4.31-4+deb7u3, lighttpd/1.4.33-1+nmu1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729453; Package lighttpd.
(Wed, 13 Nov 2013 04:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(Wed, 13 Nov 2013 04:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: lighttpd
severity: serious
version: 1.4.28-1
Multiple issues have been disclosed for lighttpd:
CVE-2013-4508 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
CVE-2013-4559 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
CVE-2013-4560 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#729453; Package lighttpd.
(Wed, 13 Nov 2013 04:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(Wed, 13 Nov 2013 04:57:05 GMT) (full text, mbox, link).
Message #10 received at 729453@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 patch
Hi, I've uploaded an nmu fixing these issues. Please see attached patch.
Best wishes,
Mike
[lighttpd.patch (text/x-patch, attachment)]
Added tag(s) patch.
Request was from Michael Gilbert <mgilbert@debian.org>
to 729453-submit@bugs.debian.org.
(Wed, 13 Nov 2013 04:57:05 GMT) (full text, mbox, link).
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Wed, 13 Nov 2013 05:06:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Wed, 13 Nov 2013 05:06:06 GMT) (full text, mbox, link).
Message #17 received at 729453-close@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Source-Version: 1.4.33-1+nmu1
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 729453@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Nov 2013 02:19:47 +0000
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.33-1+nmu1
Distribution: unstable
Urgency: high
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
lighttpd - fast webserver with minimal memory footprint
lighttpd-doc - documentation for lighttpd
lighttpd-mod-cml - cache meta language module for lighttpd
lighttpd-mod-magnet - control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 729453
Changes:
lighttpd (1.4.33-1+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team (closes: #729453).
* Fix cve-2013-4508: ssl cipher suites issue.
* Fix cve-2013-4559: setuid privilege escalation issue.
* Fix cve-2013-4560: use-after-free in fam.
Checksums-Sha1:
60b88c0ae244562b76056a265fb74f8ff38229d1 3413 lighttpd_1.4.33-1+nmu1.dsc
1f3b227cc2ed8b0f7935a1557ec89ba873422b09 32357 lighttpd_1.4.33-1+nmu1.debian.tar.gz
5a63d1d1178a5bfaa9fb649015307a87fdd25ae7 235066 lighttpd_1.4.33-1+nmu1_amd64.deb
cfb680a9d75edcbba9b033398c4fda36e838b931 60570 lighttpd-doc_1.4.33-1+nmu1_all.deb
62fb86d4fa7bf4d6de59d6f77307e6a02f0357f1 18972 lighttpd-mod-mysql-vhost_1.4.33-1+nmu1_amd64.deb
d4e2f8b2f4a1ce9ade3c06b2e836cc856a69e58c 20320 lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu1_amd64.deb
56710008913762e922bcb58afd5902afa6ef3313 22818 lighttpd-mod-cml_1.4.33-1+nmu1_amd64.deb
17c503f4ccfb2a91a1674d7e4379cced339d7d72 23626 lighttpd-mod-magnet_1.4.33-1+nmu1_amd64.deb
b6def3d5015fbd60de1a3afcc669c27cfee5cb3b 29112 lighttpd-mod-webdav_1.4.33-1+nmu1_amd64.deb
Checksums-Sha256:
4a8b972a6e4423d432782958fc9b5cbabc75c0b86f0ff299c4c9e40099cef757 3413 lighttpd_1.4.33-1+nmu1.dsc
c945c236648fcf851d75bcca0372df756a6df3829043ba8d3ae612646acede69 32357 lighttpd_1.4.33-1+nmu1.debian.tar.gz
089311f56dac6db9e5c770ad180a799b6d955909b4e47fdbfc3a96a39b237a78 235066 lighttpd_1.4.33-1+nmu1_amd64.deb
a687b2bfe8ddf7f4cfed1c3587fab7c8e2647dc60c999a06ad7c43f6f8c48ca6 60570 lighttpd-doc_1.4.33-1+nmu1_all.deb
7931376b1135b56796ec352a18655aeb88dbcbe24dfe1021d3ab58d246ec947c 18972 lighttpd-mod-mysql-vhost_1.4.33-1+nmu1_amd64.deb
17e295b7e93ca5703664b06e2e9d8c3ad9c1fabe0437072bbbcd4b1a689489f4 20320 lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu1_amd64.deb
2ffbd5285637e240ddf68965d63e33edb57fc46040245f30a598d582eb721c57 22818 lighttpd-mod-cml_1.4.33-1+nmu1_amd64.deb
89c39f3c4244ac81ecad52e7157dbe32bb3652bb6fb6d4e45a6cddcc5bdccc22 23626 lighttpd-mod-magnet_1.4.33-1+nmu1_amd64.deb
b762b221f3a983dbfcbe244c88fe3c009a46c9ba0425f14c8cf9fdf0a0341142 29112 lighttpd-mod-webdav_1.4.33-1+nmu1_amd64.deb
Files:
2a7b4a70fd13065c0470fd1838e1e5cb 3413 httpd optional lighttpd_1.4.33-1+nmu1.dsc
cb0becdd4a35e0b6875018161e36169a 32357 httpd optional lighttpd_1.4.33-1+nmu1.debian.tar.gz
6bbf449f597d50f72dedb2469ec28bea 235066 httpd optional lighttpd_1.4.33-1+nmu1_amd64.deb
956ae44a62f99eeaa5ab4c200962f6aa 60570 doc optional lighttpd-doc_1.4.33-1+nmu1_all.deb
4ee821a3a7c74c3df8b16544a8d006d2 18972 httpd optional lighttpd-mod-mysql-vhost_1.4.33-1+nmu1_amd64.deb
bc7a2963d49e636bf53373fba52c1b4e 20320 httpd optional lighttpd-mod-trigger-b4-dl_1.4.33-1+nmu1_amd64.deb
f19ad9a9d852103cca55dd4db268674a 22818 httpd optional lighttpd-mod-cml_1.4.33-1+nmu1_amd64.deb
35d78309781dfc519f86da97a185a17d 23626 httpd optional lighttpd-mod-magnet_1.4.33-1+nmu1_amd64.deb
157b4bad10188367846d2434e46d022f 29112 httpd optional lighttpd-mod-webdav_1.4.33-1+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQQcBAEBCgAGBQJSgwTnAAoJELjWss0C1vRzVC8gAKwjxSRtR2+q3afJ5BMT4rwU
qG/FhH+O95Xz4f078ZTC6cK1jINg57EUqMbFOeVPV68xhmNq8DPYWQ6Ai8rjMgGn
lrorgdKKlHztijlLUZ4Cf1+Jbho3NBV0hBX6L8FxxyWfIsO8vkWQvGLshWK5KV7u
b0FWHoxJRUcEW6LHeq8/ucj3S1fl4ZfM1Iw1cZAwlGbwpQTqbTGMrOB63B7UU5D8
Ct74v7Un02J5af2OxhCTjy/L2UD1rThJGEkPZCI2lTUOydeqxqwDCg9oefBWVOof
zzjKqnHOujuklBtUb+YR5dc+HhZ/ZJxEiUvywyNvZV9A9O+lOif59oKpOQaVOAwW
AoL0UZEB3aWQa4v/kMY2wWhvRP6VSWCdjeqv52bWRNuL7tMBrNKxXZNse1JUgxe0
pfHqeDLTCGnVN0h4BDqaOGh8jbav5FbtUwkqwcpbixC4bvnQpoiCxzpOZUZDRtdu
WE6KMUs2bJJlsDXDkcF5R8X4I19ijWIl/2l5MQC20OuCj+ejkaGdi8V299epBILz
ye7HL9EkosWQapQsyRv7mvCG71qpPIcoTSIkRoHuL8TeH4ISD3BzXG2gCxJk9ZaS
HvUkdxdA9HMPC4munfwH5MKQThihxnqgOAlXWVExWQ2E9+BUI2MH1FbJZQLoFzDw
7BYCmHJxJaIzAA9PU/GVCa9t3GDHmT0Hk6bTPIZLZWam4wxZHSvSPBIWQ4mq7qMS
wBf4hkiPZx1fbQjlymjiCpUMxQTC1QWwWZB/YheT4m1x9blYjCv9w3+C1URhtWem
T5WFGXjja/eCG+/1CAVzBwJDNW+WoMvy+hnhh+nLLrL956GlOqV6zzJEiTHvXB1E
fo2ruqtwOwQKr4cbxPQk5Gp+jZL7H1/zBYsiuc0eefnvQbQnWmKtKz53H558rlda
Hq7FQTlYhgTkWrJ81cVTf2MZqQWYMcZW2ezqxqnVn6EBGH8ewMfl229BSCHLIbAV
ILJEPpthAJGbIuCRRGQeVn1HchOQmDvlBd2OenTdbZaeW0u2PwwnE8SHptmiaIhq
xRM+hyKivJBz9poTRoDdwjvG2teHQyeU0mnrJToQ8DsTY2LMKGoKq6Y7tzjWwYX4
wsMKEm8IrnBXx2bYBd4xBCP+lMg6vHHWpi+6MdavqGc5o8gsrEa/2KBMkwWAiHHj
2leXm5+IJ5DCaZxL59vef7hcq0f97sRpZsK5+V2+IAPTMRKpIwsVlk7EpuDEZJ3H
Ike+Zd/F4wxicezwg/mX+v9Gw6Aj7SQG4UfLyxyF1WYktSUzFAfkzgUnm1V+Jez4
qtaSVtdvIpe7iaWClkshoohrtOT/fMqjRaQfWJIjz9XwFxLPAd4Akq67SUE2PfA=
=Q/zL
-----END PGP SIGNATURE-----
Marked as fixed in versions lighttpd/1.4.31-4+deb7u3.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Mon, 13 Oct 2014 02:21:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 10 Nov 2014 07:30:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:30:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon