Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

lighttpd: CVE-2008-1531 SSL connection loss can be triggered by SSL errors

Related Vulnerabilities: CVE-2008-1531  

Source

Debian Bug report logs - #475438
lighttpd: CVE-2008-1531 SSL connection loss can be triggered by SSL errors

version graph

Package: lighttpd; Maintainer for lighttpd is Debian QA Group <packages@qa.debian.org>; Source for lighttpd is src:lighttpd (PTS, buildd, popcon).

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 10 Apr 2008 19:33:05 UTC

Severity: grave

Tags: patch, security

Fixed in version lighttpd/1.4.19-2

Done: Pierre Habouzit <madcoder@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#475438; Package lighttpd. (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: lighttpd: CVE-2008-1531 SSL connection loss can be triggered by SSL errors
Date: Thu, 10 Apr 2008 21:31:43 +0200
[Message part 1 (text/plain, inline)]
Package: lighttpd
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lighttpd.


CVE-2008-1531[0]:
| lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
| of service (active SSL connection loss) by triggering an SSL error,
| such as disconnecting before a download has finished, which causes all
| active SSL connections to be lost.

Please use:
http://trac.lighttpd.net/trac/attachment/ticket/285/committed-patch-1.4.19.patch
to patch this and not the referenced trac changeset because 
it contains a bug (see #474951).

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1531
    http://security-tracker.debian.net/tracker/CVE-2008-1531

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#475438; Package lighttpd. (full text, mbox, link).

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #10 received at 475438@bugs.debian.org (full text, mbox, reply):

From: Pierre Habouzit <madcoder@debian.org>
To: control@bugs.debian.org
Cc: 472175@bugs.debian.org, 475438@bugs.debian.org
Subject: setting package to lighttpd-mod-webdav lighttpd lighttpd-mod-magnet lighttpd-mod-trigger-b4-dl lighttpd-doc lighttpd-mod-cml lighttpd-mod-mysql-vhost ...
Date: Sun, 13 Apr 2008 12:25:37 +0200
# Automatically generated email from bts, devscripts version 2.10.25
#
# lighttpd (1.4.19-2) UNRELEASED; urgency=low
#
#  * Add patches/ssl-connection-errors.patch for CVE-2008-1531
#    (Closes: 475438).
#  * Test for /var/cache/lighttpd/compress in lighttpd.cron.daily to avoid
#    spurious errors for uninstalled and not purged lighttpd's
#    (Closes: 472175).
#

package lighttpd-mod-webdav lighttpd lighttpd-mod-magnet lighttpd-mod-trigger-b4-dl lighttpd-doc lighttpd-mod-cml lighttpd-mod-mysql-vhost
tags 475438 + pending
tags 472175 + pending

Tags added: pending Request was from Pierre Habouzit <madcoder@debian.org> to control@bugs.debian.org. (Sun, 13 Apr 2008 10:27:08 GMT) (full text, mbox, link).

Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #17 received at 475438-close@bugs.debian.org (full text, mbox, reply):

From: Pierre Habouzit <madcoder@debian.org>
To: 475438-close@bugs.debian.org
Subject: Bug#475438: fixed in lighttpd 1.4.19-2
Date: Sun, 13 Apr 2008 11:32:13 +0000
Source: lighttpd
Source-Version: 1.4.19-2

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:

lighttpd-doc_1.4.19-2_all.deb
  to pool/main/l/lighttpd/lighttpd-doc_1.4.19-2_all.deb
lighttpd-mod-cml_1.4.19-2_amd64.deb
  to pool/main/l/lighttpd/lighttpd-mod-cml_1.4.19-2_amd64.deb
lighttpd-mod-magnet_1.4.19-2_amd64.deb
  to pool/main/l/lighttpd/lighttpd-mod-magnet_1.4.19-2_amd64.deb
lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
  to pool/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
  to pool/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
lighttpd-mod-webdav_1.4.19-2_amd64.deb
  to pool/main/l/lighttpd/lighttpd-mod-webdav_1.4.19-2_amd64.deb
lighttpd_1.4.19-2.diff.gz
  to pool/main/l/lighttpd/lighttpd_1.4.19-2.diff.gz
lighttpd_1.4.19-2.dsc
  to pool/main/l/lighttpd/lighttpd_1.4.19-2.dsc
lighttpd_1.4.19-2_amd64.deb
  to pool/main/l/lighttpd/lighttpd_1.4.19-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475438@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Apr 2008 13:20:40 +0200
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source all amd64
Version: 1.4.19-2
Distribution: unstable
Urgency: low
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 lighttpd   - A fast webserver with minimal memory footprint
 lighttpd-doc - Documentation for lighttpd
 lighttpd-mod-cml - Cache meta language module for lighttpd
 lighttpd-mod-magnet - Control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 408521 472119 472122 472175 473053 473510 475438
Changes: 
 lighttpd (1.4.19-2) unstable; urgency=low
 .
   * Add patches/ssl-connection-errors.patch for CVE-2008-1531
     (Closes: 475438).
   * Test for /var/cache/lighttpd/compress in lighttpd.cron.daily to avoid
     spurious errors for uninstalled and not purged lighttpd's
     (Closes: 472175).
 .
   * Add handling of /var/cache/lighttpd/uploads (Closes: 408521):
      + add it in lighttpd.dirs.
      + add it as a server.upload-dirs in lighttpd.conf.
      + purge it daily in lighttpd.cron.daily.
 .
   * Fix typo in lighttpd.preinst causing failure to update 05-auth symlink
     properly (Closes: 472119).
 .
   * init.d: stopping an already stopped lighttpd, or starting an already
     running one should not fail (Closes: 472122).
 .
   * Use $HTTP["remoteip"] =~ "127.0.0.1" in configuration snipplets so that it
     works when ipv6 is enabled by default too (Closes: 473510).
 .
   * Use perl to detect if the host has ipv6, and generate the server.use-ipv6
     snipplet on the fly instead of forcing it to true (Closes: 473053).
Checksums-Sha1: 
 94a1525070f2e44161d8eb4ee50936b09f4e5b1f 1671 lighttpd_1.4.19-2.dsc
 b8636127c06b593777d1d30208f6d672030ca5e9 22813 lighttpd_1.4.19-2.diff.gz
 735fc072beb1d91887e2ed5c4fc896b5d7c8eedf 105098 lighttpd-doc_1.4.19-2_all.deb
 952cc9ee59388b7a3839e9456493b186967f6ca2 321422 lighttpd_1.4.19-2_amd64.deb
 13166e6f479e78332b29af056c9ce2bf3ed49a7b 66292 lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
 ce12d999efce272677416b03ab83f32e1c278fd7 67934 lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
 de933aa8fae1a776e985095d16c3ec839bf863bc 71442 lighttpd-mod-cml_1.4.19-2_amd64.deb
 b85dcc2461a5853c8c2e6237dacac70b6eded426 71106 lighttpd-mod-magnet_1.4.19-2_amd64.deb
 eec98df3e35a6105eb4dffce04def1c103c5f41a 78188 lighttpd-mod-webdav_1.4.19-2_amd64.deb
Checksums-Sha256: 
 9a3f88b96d9aad17f2f8d175fc33db2cd2e9507f9c102c04da1bdb60e5eed9b4 1671 lighttpd_1.4.19-2.dsc
 e01a5a5620c473f134c831939d98646b018cf1c0f8e854d1c0c274d2acb49f47 22813 lighttpd_1.4.19-2.diff.gz
 21b9c5da0cdc04f5bbbfa26d7ae62712b640c08523bab9459fa53c8e4ba454e9 105098 lighttpd-doc_1.4.19-2_all.deb
 20366b4ed618f9ed7f558962ee0df67bc8efc1dadf8e947a6ed73003b163cfd9 321422 lighttpd_1.4.19-2_amd64.deb
 bf9faed9012a69e5b946f2748483b5b0d073242eae0596c74298e398080fc208 66292 lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
 b4802d34a1ce8f94486a35eea5b33e869d98a6a777e5631e2df25014e7f856ca 67934 lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
 f1bdb3ae4ac3ceba313e9900817421281b36f7bd749d4cb174f968187e4430f0 71442 lighttpd-mod-cml_1.4.19-2_amd64.deb
 5e2a66700641b721c9602ddf3307dfd627e3b2820cf91223480771639044b7d8 71106 lighttpd-mod-magnet_1.4.19-2_amd64.deb
 776ea921668ccfdc27b2fdc87dbcb85868c0339ab974b59343b1cafef221fc22 78188 lighttpd-mod-webdav_1.4.19-2_amd64.deb
Files: 
 b97449285f4bf46ae83a99c03a6967ba 1671 web optional lighttpd_1.4.19-2.dsc
 8f1df6e7e81315502a9633ac0ce98978 22813 web optional lighttpd_1.4.19-2.diff.gz
 6c2c51b29d40269d322250aef4aa2c35 105098 doc optional lighttpd-doc_1.4.19-2_all.deb
 a467fe072d988cbfced360c4cfa9ae73 321422 web optional lighttpd_1.4.19-2_amd64.deb
 1b7c2ab676edb8f7499278ee37661cc0 66292 web optional lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
 9e3ca7f2b6a91deb370e8e8899091f78 67934 web optional lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
 bc5fd740579193e8d9161a9a16bb19fd 71442 web optional lighttpd-mod-cml_1.4.19-2_amd64.deb
 22124c16b94d858649e0561a94f1a9b6 71106 web optional lighttpd-mod-magnet_1.4.19-2_amd64.deb
 cdc1289ccbd33f84b8c8486492275909 78188 web optional lighttpd-mod-webdav_1.4.19-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIAe2OvGr7W6HudhwRAha5AKCYHcLARAFGi5Nhwtav1eXxbQT6fACbB9XF
IrzYuNHjN58pS5VEka6rEHA=
=6JLO
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 28 May 2008 07:32:17 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:38:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started