lighttpd (security) ssl fix
Bug #209627 reported by
stiV
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lighttpd (Gentoo Linux) |
Fix Released
|
Low
|
|||
lighttpd (Ubuntu) |
Fix Released
|
Medium
|
Emanuele Gentili | ||
Dapper |
Won't Fix
|
Low
|
Unassigned | ||
Edgy |
Fix Released
|
Medium
|
Emanuele Gentili | ||
Feisty |
Fix Released
|
Medium
|
Emanuele Gentili | ||
Gutsy |
Fix Released
|
Medium
|
Emanuele Gentili | ||
Hardy |
Fix Released
|
Medium
|
Emanuele Gentili |
Bug Description
Binary package hint: lighttpd
as of yesterday the lighttpd could have gotten rid of a very nasty bug which causes SSL sessions to terminate and produce errors ...
see http://
They made the fix available for older versions too, so backporting should not be a problem
CVE References
Changed in lighttpd: | |
assignee: | nobody → emgent |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in lighttpd: | |
status: | Unknown → In Progress |
Changed in lighttpd: | |
assignee: | nobody → emgent |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in lighttpd: | |
status: | In Progress → Fix Released |
Changed in lighttpd: | |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
Changed in lighttpd: | |
status: | Fix Committed → Fix Released |
Changed in lighttpd (Ubuntu Dapper): | |
assignee: | nobody → Artur Rona (ari-tczew) |
status: | New → In Progress |
Changed in lighttpd (Ubuntu Dapper): | |
assignee: | Artur Rona (ari-tczew) → nobody |
Changed in lighttpd (Ubuntu Dapper): | |
assignee: | nobody → Gursimran singh Mohar (simar) |
Changed in lighttpd (Ubuntu Dapper): | |
importance: | Undecided → Low |
Changed in lighttpd (Gentoo Linux): | |
importance: | Unknown → Low |
Changed in lighttpd (Ubuntu Dapper): | |
assignee: | Gursimran singh (simar) → nobody |
To post a comment you must log in.
lighttpd-1.4.19 and earlier contain a bug which can be exploited by a malicious user to forcefully close foreign SSL connections.
To exploit this, the server has to have SSL support enabled and the attacker has to trigger an SSL error on his own connection (connecting and disconnecting before the download has finished is enough).
Original ticket: http:// trac.lighttpd. net/trac/ ticket/ 285#comment: 19 trac.lighttpd. net/trac/ changeset/ 2136
Fix: http://
lighttpd-1.4.19 was supposed to fix the problem, but the fix did not work as expected, so it is still vulnerable.
The damage, which can be caused by this bug is rather low, I'd say: Firstly, users can simply reconnect after their connection has been killed, and secondly, it is hard for an attacker to meet the exact point of time to crash a user's connection, it is mostly a problem when there are longer-pending connections such as downloads or keepalive.