Debian Bug report logs -
#422254
lighttpd: Security vulnerabilities in Etch version
Reported by: Jon Vaughan <jonathan-debianbugs@turnip.org.uk>
Date: Fri, 4 May 2007 14:15:01 UTC
Severity: grave
Tags: patch, security
Merged with 419131
Found in versions lighttpd/1.4.13-10, lighttpd/1.4.13-4
Fixed in versions lighttpd/1.4.13-4etch4, lighttpd/1.4.15-1
Done: Krzysztof Krzyzaniak (eloy) <eloy@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#422254; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Jon Vaughan <jonathan-debianbugs@turnip.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: lighttpd
Version: 1.4.13-4
Severity: critical
Tags: security patch
Justification: root security hole
1.4.13-4 in etch has two security flaws:
CVE-2007-1870
CVE-2007-1869
I include a patch against the debian source of 1.4.13-4 with
http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_crlf_parsing_dos.patch
and
http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_zero_mtime_crash.patch
applied.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.7-linode30
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages lighttpd depends on:
ii libattr1 2.4.32-1 Extended attribute shared library
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libldap2 2.1.30-13.3 OpenLDAP libraries
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8c-4 SSL shared libraries
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii mime-support 3.39-1 MIME files 'mime.types' & 'mailcap
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages lighttpd recommends:
pn php4-cgi | php5-cgi <none> (no description available)
-- no debconf information
[lighttpd_1.4.13.patchjvaughan (text/x-c, attachment)]
Severity set to `grave' from `critical'
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(Fri, 04 May 2007 17:12:01 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#422254; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Olaf van der Spek <OlafvdSpek@GMail.Com>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 422254@bugs.debian.org (full text, mbox, reply):
Package: lighttpd
Followup-For: Bug #422254
Hi,
This bug doesn't look harmless. What is the reason it hasn't been fixed yet?
Olaf
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.20-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages lighttpd depends on:
ii libattr1 1:2.4.32-1.1 Extended attribute shared library
ii libbz2-1.0 1.0.3-7 high-quality block-sorting file co
ii libc6 2.5-9+b1 GNU C Library: Shared libraries
ii libldap2 2.1.30-13.4 OpenLDAP libraries
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8e-5 SSL shared libraries
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii mime-support 3.39-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.8-7 Larry Wall's Practical Extraction
ii zlib1g 1:1.2.3-15 compression library - runtime
Versions of packages lighttpd recommends:
ii php5-cgi 5.2.2-2 server-side, HTML-embedded scripti
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, marcos.marado@sonae.com, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#422254; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Mind Booster Noori <marcos.marado@sonae.com>:
Extra info received and forwarded to list. Copy sent to marcos.marado@sonae.com, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #17 received at 422254@bugs.debian.org (full text, mbox, reply):
Package: lighttpd
Followup-For: Bug #422254
As a matter of fact, these two lighttpd 1.4.13 bugs were fixed in
1.4.14, but that patches added one bug, that was fixed in lighttpd
1.4.15. Since 1.4.15 is already in testing, that release closes this
bug. This bug should be closed as a duplicate of bug #419131, which was
closed with the upload of 1.4.15. Also, 1.4.15-1 should migrate to etch.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#422254; Package lighttpd.
(full text, mbox, link).
Acknowledgement sent to Krzysztof Krzyżaniak <eloy@kofeina.net>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #22 received at 422254@bugs.debian.org (full text, mbox, reply):
Mind Booster Noori wrote:
> Package: lighttpd
> Followup-For: Bug #422254
>
>
> As a matter of fact, these two lighttpd 1.4.13 bugs were fixed in
> 1.4.14, but that patches added one bug, that was fixed in lighttpd
> 1.4.15. Since 1.4.15 is already in testing, that release closes this
> bug. This bug should be closed as a duplicate of bug #419131, which was
> closed with the upload of 1.4.15. Also, 1.4.15-1 should migrate to etch.
Last thing is not possible, etch will always have 1.4.13.
eloy
--
-------e-l-o-y----------------------------e-l-o-y-@-k-o-f-e-i-n-a-.-n-e-t------
jak to dobrze, że są oceany - bez nich byłoby jeszcze smutniej
Forcibly Merged 419131 422254.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 27 Jun 2007 01:00:24 GMT) (full text, mbox, link).
Message sent on to Jon Vaughan <jonathan-debianbugs@turnip.org.uk>:
Bug#422254.
(full text, mbox, link).
Message #27 received at 422254-submitter@bugs.debian.org (full text, mbox, reply):
# This is the security NMU which fixed this bug
fixed 419131 1.4.13-4etch4
# Submitter of 42254, this closes 42254
forcemerge 419131 422254
thanks
Submiter of 422254: please see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419131#msg10 for the
message which resolved this bug.
Don Armstrong
--
Grimble left his mother in the food store and went to the launderette
and watched the clothes go round. It was a bit like colour television
only with less plot.
-- Clement Freud _Grimble_
http://www.donarmstrong.com http://rzlab.ucr.edu
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 17 Aug 2007 07:27:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:10:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon