[CVE-2008-1111] Failure to Handle Exceptional Conditions

Bug #198731 reported by Stephan Ruegamer on 2008-03-05
258
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Medium
Stephan Ruegamer
Dapper
Medium
Emanuele Gentili
Edgy
Medium
Emanuele Gentili
Feisty
Medium
Emanuele Gentili
Gutsy
Medium
Emanuele Gentili
Hardy
Medium
Stephan Ruegamer

Bug Description

Binary package hint: lighttpd

mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source code of CGI scripts instead of a 500 error, which might allow remote attackers to obtain sensitive information.

Fixes are found at: http://trac.lighttpd.net/trac/changeset/2107

Stephan Ruegamer (sadig) on 2008-03-05
Changed in lighttpd:
assignee: nobody → shermann
status: New → Confirmed
Changed in lighttpd:
assignee: nobody → emgent
assignee: nobody → emgent
assignee: nobody → emgent
assignee: nobody → emgent
Stephan Ruegamer (sadig) wrote :

lighttpd (1.4.18-1ubuntu5) hardy; urgency=low

  * debian/patches/90-CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source
      code of CGI scripts instead of a 500 error, which might allow remote attackers
      to obtain sensitive information."
      Upstream Patch: http://trac.lighttpd.net/trac/changeset/2107

 -- Stephan Hermann <email address hidden> Wed, 05 Mar 2008 14:04:43 +0100

Changed in lighttpd:
importance: Undecided → Medium
status: Confirmed → Fix Released
Changed in lighttpd:
importance: Undecided → Medium
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
importance: Undecided → Medium
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
importance: Undecided → Medium
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
importance: Undecided → Medium
Changed in lighttpd:
status: New → In Progress
status: New → In Progress
status: New → In Progress
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

After some minor changelog fixes, I have uploaded dapper - gutsy.

Changed in lighttpd:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.2

---------------
lighttpd (1.4.18-1ubuntu1.2) gutsy-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 14:28:27 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.4

---------------
lighttpd (1.4.13-9ubuntu4.4) feisty-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 14:53:26 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.11-3ubuntu3.7) dapper-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 16:32:13 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.13~r1370-1ubuntu1.5) edgy-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 16:14:40 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers