Debian Bug report logs -
#926885
lighttpd: CVE-2019-11072
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#926885; Package src:lighttpd.
(Thu, 11 Apr 2019 19:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Thu, 11 Apr 2019 19:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Version: 1.4.53-3
Severity: grave
Tags: security upstream
Forwarded: https://redmine.lighttpd.net/issues/2945
Hi,
The following vulnerability was published for lighttpd.
CVE-2019-11072[0]:
| lighttpd before 1.4.54 has a signed integer overflow, which might
| allow remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a malicious HTTP
| GET request, as demonstrated by mishandling of /%2F? in
| burl_normalize_2F_to_slash_fix in burl.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11072
[1] https://redmine.lighttpd.net/issues/2945
[2] https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Glenn Strauss <gstrauss@gluelogic.com>:
You have taken responsibility.
(Wed, 17 Apr 2019 14:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 17 Apr 2019 14:36:03 GMT) (full text, mbox, link).
Message #10 received at 926885-close@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Source-Version: 1.4.53-4
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926885@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Glenn Strauss <gstrauss@gluelogic.com> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Apr 2019 00:00:00 -0400
Source: lighttpd
Architecture: source
Version: 1.4.53-4
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Glenn Strauss <gstrauss@gluelogic.com>
Closes: 926885
Changes:
lighttpd (1.4.53-4) unstable; urgency=high
.
* QA upload.
* fix mixed use of srv->split_vals array (regression)
* mod_magnet:fix invalid script return-type crash
* fix assertion with server.error-handler
* mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures
* fix abort in server.http-parseopts with url-path-2f-decode enabled
CVE-2019-11072 (closes: #926885)
Checksums-Sha1:
b609f87fcac5281e0dea93b72ba74b9db2fe0a24 3879 lighttpd_1.4.53-4.dsc
b79ba0fa89ad031f0fe979a2bd6d0667390459b7 44060 lighttpd_1.4.53-4.debian.tar.xz
5b34212f522882d440645fc8636cd8d68265e282 16638 lighttpd_1.4.53-4_amd64.buildinfo
Checksums-Sha256:
d496e9a6879a70451402d8a19f0396e781dc00fc902c9bf0b567c6c8b6b63257 3879 lighttpd_1.4.53-4.dsc
b11b1ff4831671cc67da207009d5cb9dac71fea5b17ac10144a980cb5903dcc4 44060 lighttpd_1.4.53-4.debian.tar.xz
c70fdd421bf1240ca925390e01c9cd14a4c121dfab3d4c6a215175fabdcb1eb0 16638 lighttpd_1.4.53-4_amd64.buildinfo
Files:
f0d901e9c6b3d9ab91179b4d54567aa4 3879 httpd optional lighttpd_1.4.53-4.dsc
f0b909359a42999d57044af80513cc39 44060 httpd optional lighttpd_1.4.53-4.debian.tar.xz
ebed16c45ec61b788fb19f1696944831 16638 httpd optional lighttpd_1.4.53-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAly3KT8ACgkQLRqqzyRE
REKqlQ//URCooawWK1Z5e1/RRYLF8DBPyahxrI2DEJG83Xp9ikdVy1+0KAGfdTOC
yOJY9trdRuek7liGr4mKu+fIeF4Mj12eoz9QV6678A4VuegdgRiPWGbWN6Nc3xlV
jP2Z9j+RVBXU59v3SdAYTDeUBindqk7P5qGl8YtLS0Asub4cGVX1MmmI2sv/Lk/A
ihdQvXFeaN8VnbF/0Um5cnzEL3gh+Z/oEo6YnGxn6FVUG/ZJ6vFAvUwkLOuIIvkO
Qh4JeJ5c0ujJHYa6b7zQIRobQBsUVWh4K6AZ6plVqE10YdSt+3yG2/Cgmc5YfqdC
MVmzkGe6UdNKHua09YEFkSbmIynfHIVwUJytylv0pryl4TTKv1ZKnJeO5a9Mw9Vq
UuffUZEwLwtwnevYyu8ycp7IVip7lor04JmQFUa6vqpW2MdS9OEEeRtRDWjWlGdM
yAhMKHvz2PAMUROnpztgLHDvtSHv8WYsCuo5dk92FCq9amgG3gwtvsxvhPGge9k3
owIhbeblxtopj8geyQtk0G714+Olrpq77ZjlszE1HHATH2hMIziXPy6haieJxZ3Q
uJnpmRW1AX4ovWM4g2jxo0K0wyyflMG4YMX0jken0XTiA+pkF+QQQPlEAm+i32nf
Pt5cQxrt/m5+ncC8iZ/beTPdNPYQWXM3/Yt1zDP77pY9GuUaWZk=
=ZGri
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 May 2019 07:27:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:55:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon