please upgrade: lighttpd 1.4.76

Bug #2058045 reported by gstrauss
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_75

https://salsa.debian.org/debian/lighttpd/

Note: there is a regression in lighttpd 1.4.74 which breaks mod_dirlisting. lighttpd 1.4.75 fixes that. Alternatively, https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/3d400ce06dcb950a61363f87330324db244f4bac can be added to the lighttpd 1.4.74 package in Noble (proposed).

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lighttpd (Ubuntu):
status: New → Confirmed
Revision history for this message
Paride Legovini (paride) wrote :

Hello, lighttpd 1.4.75 is not packages in Debian yet. Once packaged there it may (or may not!) come to Noble as a microrelease upgrade, see [1].

On your bug: please file a new bug stating the problem with mod_dirlisting and pointing to the fix. The fix may be delivered as a "normal" bugfix, cherry-picking the fix following the procedures described in [1].

[1] https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases

Revision history for this message
gstrauss (gstrauss) wrote :

> Hello, lighttpd 1.4.75 is not packages in Debian yet.

I trust you are aware that all Debian development on all Debian 64-bit and 32-bit platforms is currently blocked due to the way Debian has (mis)"planned" the Debian time64 transition for 32-bit platforms.

Some Ubuntu developers are working with Debian developers and it seems that it was overlooked that the Ubuntu package stabilization for 24.04 beta overlapped with the Debian time64 transition.

I am a lighttpd developer.
lighttpd 1.4.75 is tagged https://salsa.debian.org/debian/lighttpd/
My Debian "Request for Sponsorship" for lighttpd package release is 3 weeks old.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067126

lighttpd 1.4.75 is intended for Ubuntu 24.04, which Ubuntu plans to maintain for 10 years. I hope that you will review the history of "how well" (lol) Ubuntu has "maintained" lighttpd and lighttpd patches in existing Ubuntu releases and understand why I am aiming for lighttpd 1.4.75 in Ubuntu 24.04.

Revision history for this message
gstrauss (gstrauss) wrote :

https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_76

https://salsa.debian.org/debian/lighttpd/ has a tag for debian/1.4.76-1

lighttpd (1.4.76-1) unstable; urgency=medium
  * New upstream version 1.4.76
  * Detect VU#421644 HTTP/2 CONTINUATION Flood
  * Avoid CVE-2024-3094 xz supply chain attack

summary: - please upgrade: lighttpd 1.4.75
+ please upgrade: lighttpd 1.4.76
Revision history for this message
gstrauss (gstrauss) wrote (last edit ):

I am a lighttpd developer and have prepared patches for Ubuntu updates/backports.

lighttpd 1.4.76 is the current stable lighttpd release and is the best available version of lighttpd.

Added in lighttpd 1.4.76:
  * Detect VU#421644 HTTP/2 CONTINUATION Flood
  * Avoid CVE-2024-3094 xz supply chain attack

Noble should upgrade lighttpd 1.4.74 to lighttpd 1.4.76

The Mantic Minotaur should upgrade lighttpd 1.4.69 to lighttpd 1.4.76 and needs a single patch for behavior compatibility to revert the upgrade to stronger TLS defaults. (revert lighttpd commit 87b3a9cab8d964330aef12db9f78aae66eaf0968) While I consider incremental improvement of secure defaults something that should be backported for best security practices, I understand that Ubuntu policy differs.
0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch

The Jammy Jellyfish should upgrade lighttpd 1.4.63 to lighttpd 1.4.76 and needs a few patches for behavior compatibility -- again to downgrade stronger lighttpd TLS defaults to weaker defaults in lighttpd 1.4.63 -- and to restore deprecated TLS directives, and to restore deprecated modules.
0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch
0002-Revert-TLS-simplify-TLS-config-remove-deprecated-opt.patch
0003-Revert-TLS-upgrade-default-cipher-list-to-stronger-s.patch
0004-Revert-multiple-remove-deprecated-modules.patch
0005-Revert-multiple-remove-long-deprecated-modules.patch

lighttpd 1.4.73 contains detection for HTTP/2 Rapid Reset attacks, which The Manic Minotaur and The Jammy Jellyfish ought to have in security and/or updates.

Revision history for this message
gstrauss (gstrauss) wrote :
Revision history for this message
gstrauss (gstrauss) wrote :
Revision history for this message
gstrauss (gstrauss) wrote :
Revision history for this message
gstrauss (gstrauss) wrote :

Requesting sponsorship and guidance from ubuntu-security-sponsors

Debian development is stalled and hideously broken on time64 transition for some 32-bit platforms, which has halted just about everything else in Debian unstable for all platforms, including 64-bit platforms.

debian/1.4.76-1 is tagged in https://salsa.debian.org/debian/lighttpd/, passes all autopkgtests, and is awaiting (eventual?) release in Debian unstable.

Please update Noble sooner, and advise on backporting to stable Ubuntu releases. Thank you.

Revision history for this message
gstrauss (gstrauss) wrote :
Revision history for this message
gstrauss (gstrauss) wrote :

I should note that CVE-2022-22707 is fixed in lighttpd 1.4.64, and The Jammy Jellyfish is running lighttpd 1.4.63.

Revision history for this message
gstrauss (gstrauss) wrote :

It would also be nice if lighttpd 1.4.76 were made available in updates for The Focal Fossa and The Bionic Beaver, and even earlier Ubuntu releases if there are any still supported. (lighttpd 1.4.76 is able to run with older openssl and pcre libraries.)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hi @gstrauss

sorry about your frustration with the time_t transition. It was very hard on Ubuntu due to the noble release, and even though debian has more time, I'm sure it's difficult for them as well.

lighttpd in Ubuntu is in the universe repository, meaning it's maintained by the community at large. That being said, we try to avoid really hard to go ahead of debian in a new upstream release, and we generally don't do that for universe packages.

I see you attached many patches to this bug, and it's bit convoluted now. The original intent of this bug is to update to the latest upstream release. For the ubuntu development release, I can say we will only update to a new upstream version on top of a new debian update, i.e., if debian updates to (say) 1.4.76, then ubuntu can rebase on top of that. That's because since the package is in universe, there is no specific team committed to maintaining it.

For stable releases, updating the package goes through a different mechanism. We have the SRU[1] process for such updates, and each one has to be analized, justified, end evaluated, against that criteria. Version changes are generally frowned upon, with individual patches being preferred. There are pros and cons, and the documentation goes over them at length. If you wish to propose an SRU for lighttpd for some ubuntu release, then that process must be followed.

I'll leave this bug open because at some point debian will get 1.4.76 (or later), and when we rebase on top of that, we can close the bug.

Hope this helps.

1. https://wiki.ubuntu.com/StableReleaseUpdates

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.