Debian Bug report logs -
#913528
lighttpd: CVE-2018-19052
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 11 Nov 2018 21:21:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions lighttpd/1.4.45-1, lighttpd/1.4.49-1.1
Fixed in version lighttpd/1.4.52-1
Done: Helmut Grohne <helmut.grohne@intenta.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#913528; Package src:lighttpd.
(Sun, 11 Nov 2018 21:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Sun, 11 Nov 2018 21:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Version: 1.4.49-1.1
Severity: important
Tags: security upstream
Control: found -1 1.4.45-1
Hi,
The following vulnerability was published for lighttpd.
CVE-2018-19052[0]:
| An issue was discovered in mod_alias_physical_handler in mod_alias.c in
| lighttpd before 1.4.50. There is potential ../ path traversal of a
| single directory above an alias target, with a specific mod_alias
| configuration where the matched alias lacks a trailing '/' character,
| but the alias target filesystem path does have a trailing '/'
| character.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19052
[1] https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1
Regards,
Salvatore
Marked as found in versions lighttpd/1.4.45-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 11 Nov 2018 21:21:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Helmut Grohne <helmut.grohne@intenta.de>
to control@bugs.debian.org.
(Tue, 04 Dec 2018 11:27:06 GMT) (full text, mbox, link).
Reply sent
to Helmut Grohne <helmut.grohne@intenta.de>:
You have taken responsibility.
(Thu, 06 Dec 2018 13:09:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Dec 2018 13:09:11 GMT) (full text, mbox, link).
Message #14 received at 913528-close@bugs.debian.org (full text, mbox, reply):
Source: lighttpd
Source-Version: 1.4.52-1
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne <helmut.grohne@intenta.de> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Dec 2018 13:44:42 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav lighttpd-mod-authn-gssapi lighttpd-mod-authn-ldap lighttpd-mod-authn-mysql lighttpd-mod-geoip
Architecture: source
Version: 1.4.52-1
Distribution: sid
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Helmut Grohne <helmut.grohne@intenta.de>
Description:
lighttpd - fast webserver with minimal memory footprint
lighttpd-doc - documentation for lighttpd
lighttpd-mod-authn-gssapi - GGSAPI authentication for lighttpd
lighttpd-mod-authn-ldap - LDAP authentication for lighttpd
lighttpd-mod-authn-mysql - MySQL authentication for lighttpd
lighttpd-mod-cml - cache meta language module for lighttpd
lighttpd-mod-geoip - GeoIP restrictions for lighttpd
lighttpd-mod-magnet - control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 857255 877039 879496 913528
Changes:
lighttpd (1.4.52-1) unstable; urgency=medium
.
* QA Upload.
* New upstream release. (Closes: #879496)
+ Fix CVE-2018-19052. (Closes: #913528)
+ Don't append port to unix sockets. (Closes: #877039)
+ Refactor buffer API. (Closes: #857255)
+ Don't use AC_PATH_PROG to find pkg-config. (Addresses: #912358)
+ Drop patch fix-openssl-1.1.1.patch applied upstream.
+ Add new mod_sockproxy.so to main package.
* Replace Build-Depends: dh-systemd with newer debhelper for lintian.
Checksums-Sha1:
f83569abd053a4a4142bd6445a14fe5a02cfc1ca 3164 lighttpd_1.4.52-1.dsc
d2cc3d8b4997e73b0d8bf3fd2685fc0e79650385 728668 lighttpd_1.4.52.orig.tar.xz
2eca58e718d9567083b7aad2a1be723cf3deba19 801 lighttpd_1.4.52.orig.tar.xz.asc
3baaa543bdf03c86d8e63ae19e062e0798d89f5d 47008 lighttpd_1.4.52-1.debian.tar.xz
9830b4a05d827c9e72c12173650296508f0507a5 13155 lighttpd_1.4.52-1_amd64.buildinfo
Checksums-Sha256:
bab3dc02ee868bafed693e94c0b565cc924ebd4d0d960ca4e0d404aecb38ad27 3164 lighttpd_1.4.52-1.dsc
27bc0991c530b7c6335e6efff2181934d3c1a1c516f7401ea71d8302cefda764 728668 lighttpd_1.4.52.orig.tar.xz
fd8b589ec181f2d166fcadd71acf2e0b95c0c9ca8db96af2329d3a5a5efb2177 801 lighttpd_1.4.52.orig.tar.xz.asc
40ebebd86ba93933dd7eae31e4b0693a0b04299e991c51796fff18afc29cbe19 47008 lighttpd_1.4.52-1.debian.tar.xz
1d65294c2112cfd344926224ae6614a708206febb9fca44bbbcc58e0e23b0ccc 13155 lighttpd_1.4.52-1_amd64.buildinfo
Files:
b334c8de0c5073d1665513281742a4f6 3164 httpd optional lighttpd_1.4.52-1.dsc
34f5c79137325ba31484bed1e54e66e6 728668 httpd optional lighttpd_1.4.52.orig.tar.xz
14cbef98f3d645b8ca380c7f8cbd186a 801 httpd optional lighttpd_1.4.52.orig.tar.xz.asc
264d0d39104a12ee68b096d394c9c111 47008 httpd optional lighttpd_1.4.52-1.debian.tar.xz
e2e357134aa1f2bee22773b4163396d0 13155 httpd optional lighttpd_1.4.52-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAlwJGt0ACgkQLRqqzyRE
REIb1Q//S3KLGbjZS67Vq9/OpYqcEA27IieMzWKqaw4FkLMWjm2/8HcwfY9ln7m9
NFAxxRVaEublgxp4o9eKI3mQEMucXlyQD1bydC2lfFkijHe9p7j0fXpMbem22taU
VWLi00AePYc/S2ccGWuMmQpWpYxaseabPTj8V46DRLOIBylAyHHumnvaoqDCFir6
73AI+Diyp7BxLOJQvU8RHmvhgL63j3how+KebDeLsAazDZtSArhKObvsBU6Gjs6K
0HC6vAxIzV1BjBm7jALVkoVf53c/bKNR9vRbXVkEqRxK1knUWo6d5kBSppbglnws
9yT6mBOkuo6dspGF3d3rjl1KhL0YLYuogTNS6P3ewD5R+yCzlvhv5GCRdL+vGnoM
3saclDiuy9BHQvTlY2zM7+oDZIedn0DfwVnukbuZSXrWlTpHjU6oGsMAyBC7cbVs
XDxPdw4P50Gq3Y/GBhncfO0Ldm0sODM4dqrCf+1MgTn2TC48JpecPfFHk6tzcA3R
d8eGyc/bgygHttdvWbPge9oYRFW241FiCYJF4fXgUqS4HINvl9F3KjTYUH8vE1A5
DYFXD9eJtdFMgob6xHd/COx2Az5sHvpQr+BkzXKD7nOq262bOMCEeSsZb1gA2Mgt
RKQNmPmQ+xKUzWedDvT1ijuQPxdt/mNRx0uUO78zNMs0d6A6RBE=
=S5y/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Feb 2019 07:26:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon