lighttpd (security) ssl fix

Bug #209627 reported by stiV on 2008-03-31
292
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Gentoo Linux)
Fix Released
Low
lighttpd (Ubuntu)
Medium
Emanuele Gentili
Dapper
Low
Unassigned
Edgy
Medium
Emanuele Gentili
Feisty
Medium
Emanuele Gentili
Gutsy
Medium
Emanuele Gentili
Hardy
Medium
Emanuele Gentili

Bug Description

Binary package hint: lighttpd

as of yesterday the lighttpd could have gotten rid of a very nasty bug which causes SSL sessions to terminate and produce errors ...
see http://trac.lighttpd.net/trac/ticket/285 for more information

They made the fix available for older versions too, so backporting should not be a problem

Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → In Progress
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
status: Unknown → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.19-0ubuntu3

---------------
lighttpd (1.4.19-0ubuntu3) hardy; urgency=low

  * SECURITY UPDATE: (LP: #209627)
   + debian/patches/92_CVE-2008-1531.dpatch
    - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
      of service (active SSL connection loss) by triggering an SSL error,
      such as disconnecting before a download has finished, which causes
      all active SSL connections to be lost.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
   + http://trac.lighttpd.net/trac/changeset/2136
   + http://trac.lighttpd.net/trac/changeset/2139

 -- Emanuele Gentili <email address hidden> Sun, 06 Apr 2008 00:09:12 +0200

Changed in lighttpd:
status: In Progress → Fix Released
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → In Progress
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → In Progress
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → In Progress
Changed in lighttpd:
status: In Progress → Fix Released
Changed in lighttpd:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.4

---------------
lighttpd (1.4.18-1ubuntu1.4) gutsy-security; urgency=low

  * SECURITY UPDATE: (LP: #209627)
   + debian/patches/91_CVE-2008-1531.dpatch
    - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
      of service (active SSL connection loss) by triggering an SSL error,
      such as disconnecting before a download has finished, which causes
      all active SSL connections to be lost.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
   + http://trac.lighttpd.net/trac/changeset/2136
   + http://trac.lighttpd.net/trac/changeset/2139

 -- Emanuele Gentili <email address hidden> Sun, 06 Apr 2008 03:39:14 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.6

---------------
lighttpd (1.4.13-9ubuntu4.6) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #209627)
   + debian/patches/91_CVE-2008-1531.dpatch
    - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
      of service (active SSL connection loss) by triggering an SSL error,
      such as disconnecting before a download has finished, which causes
      all active SSL connections to be lost.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
   + http://trac.lighttpd.net/trac/changeset/2136
   + http://trac.lighttpd.net/trac/changeset/2139

 -- Emanuele Gentili <email address hidden> Sun, 06 Apr 2008 23:55:30 +0200

Changed in lighttpd:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in lighttpd:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.13~r1370-1ubuntu1.7) edgy-security; urgency=low

  * SECURITY UPDATE: (LP: #209627)
   + debian/patches/91_CVE-2008-1531.dpatch
    - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
      of service (active SSL connection loss) by triggering an SSL error,
      such as disconnecting before a download has finished, which causes
      all active SSL connections to be lost.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
   + http://trac.lighttpd.net/trac/changeset/2136
   + http://trac.lighttpd.net/trac/changeset/2139

 -- Emanuele Gentili < <email address hidden> (emgent: 10144)

Saivann Carignan (oxmosys) wrote :

Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid.

Changed in lighttpd (Ubuntu Dapper):
status: New → Invalid
Artur Rona (ari-tczew) wrote :

Dapper server support is until June 2011, so it can be fixed.

Changed in lighttpd (Ubuntu Dapper):
status: Invalid → New
Artur Rona (ari-tczew) wrote :

End Of Life.

Changed in lighttpd (Ubuntu Dapper):
status: New → Invalid
Scott Kitterman (kitterman) wrote :

Artur, you were right the first time.

Changed in lighttpd (Ubuntu Dapper):
status: Invalid → New
Artur Rona (ari-tczew) on 2010-06-10
Changed in lighttpd (Ubuntu Dapper):
assignee: nobody → Artur Rona (ari-tczew)
status: New → In Progress
Artur Rona (ari-tczew) on 2010-08-25
Changed in lighttpd (Ubuntu Dapper):
assignee: Artur Rona (ari-tczew) → nobody
Gursimran singh (simar) on 2010-08-25
Changed in lighttpd (Ubuntu Dapper):
assignee: nobody → Gursimran singh Mohar (simar)
Gursimran singh (simar) on 2010-10-28
Changed in lighttpd (Ubuntu Dapper):
importance: Undecided → Low
Changed in lighttpd (Gentoo Linux):
importance: Unknown → Low
Gursimran singh (simar) on 2011-02-07
Changed in lighttpd (Ubuntu Dapper):
assignee: Gursimran singh (simar) → nobody
Jamie Strandboge (jdstrand) wrote :

While this bug still affects Dapper, it seems clear that no one is fixing. Marking "Won't Fix" for now. Please reopen if you are interested in providing a debdiff for lighttpd on Dapper, and the Ubuntu Security team will process it. Thanks

Changed in lighttpd (Ubuntu Dapper):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.