new lighttpd security fixes

Bug #279490 reported by fago on 2008-10-07
This bug report is a duplicate of:  Bug #209627: lighttpd (security) ssl fix. Edit Remove
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned

Bug Description

Binary package hint: lighttpd

lighttpd 1.4.20 was just released, containing 4 security fixes. See http://www.lighttpd.net/2008/9/30/1-4-20-Otherwise-the-terrorists-win

goto (gotolaunchpad) wrote :

CVE-2008-1531 has been fixed again
the other three aren't tracked with CVE

all four security fixes have patches agains 1.4.19 alternatively.
they don't seem to be integrated yet.

fago (fago) wrote :

Any news on this?

fago (fago) wrote :

I'm unsetting this from being a duplicate of #209627

The other issue #209627 has been fixed on 2008-04-18, but the new issues are from September 30th, 2008 and still unfixed!

Marc Deslauriers (mdeslaur) wrote :

The new issues are the following CVEs:
- CVE-2008-4298
- CVE-2008-4359
- CVE-2008-4360

Changed in lighttpd:
status: New → Confirmed
Marcin Gibula (m-gibula) wrote :

These bugs are already fixed in Debian packages. Is there any ETA on that? Hardy's package still seems to be affected.

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityUpdateProcedures

Marcin Gibula (m-gibula) wrote :

I'm attaching debdiff for patched lighttpd package.

P.S. It's my first patch for .deb package so please tell me if there's anything wrong with it.

Jamie Strandboge (jdstrand) wrote :

1.4.19-5 is not affected.

Changed in lighttpd:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Marking Hardy task as 'In Progress' according to https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in lighttpd:
status: Confirmed → In Progress
Kees Cook (kees) wrote :

@Marcin: the patch looks pretty good. normally we explicitly describe the changes being made after the 'SECURITY UPDATE:' part of the changelog. Have you tested this package on hardy (does it continue to server pages correctly, for example)?

Changed in lighttpd:
status: In Progress → Incomplete
Marcin Gibula (m-gibula) wrote :

Hi,
I'm attaching new version of debdiff. Two changes there:

- Added brief notes about whats being fixed (if it's too short I can write something longer)
- Removed fix for CVE-2008-4359 from the patch list (patch is still there, it's just not applied) - it's known to cause regressions and it has been removed from vanillia lighttpd tree (http://redmine.lighttpd.net/issues/show/1720). I think it's better to leave it as is, rather than break working configurations.

And yes, I've tested it, it compiles and seems to be working.

Jamie Strandboge (jdstrand) wrote :

Marking Hardy task as 'In Progress' according to https://wiki.ubuntu.com/SecurityUpdateProcedures. Please when submitting debdiffs, mark the corresponding task as 'In Progress'. This will help the security team track patches.

Changed in lighttpd:
status: Incomplete → In Progress
Jamie Strandboge (jdstrand) wrote :

Marcin,

Thanks for your debdiff! I have uploaded the package to the security ppa, with two changes:
1. the version did not comply with https://wiki.ubuntu.com/SecurityUpdateProcedures, so I changed it
2. I removed the unapplied patch for CVE-2008-4359 to avoid confusion in the future.

Changed in lighttpd:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.19-0ubuntu3.1

---------------
lighttpd (1.4.19-0ubuntu3.1) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #279490)
   + debian/patches/93_CVE-2008-4298.dpatch
    - Fix memory leak in request header handling
   + debian/patches/95_CVE-2008-4360.dpatch
    - Fix mod_userdir information disclosure
  * References
   + https://bugs.launchpad.net/bugs/cve/2008-4298
   + https://bugs.launchpad.net/bugs/cve/2008-4360

 -- Marcin Gibula <email address hidden> Wed, 04 Mar 2009 13:42:05 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in lighttpd (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in lighttpd (Ubuntu Intrepid):
status: Confirmed → Invalid
Artur Rona (ari-tczew) wrote :

Dapper Drake 6.06 reached End Of Life. Feel free to reopen, if you are affected by this bug.

Changed in lighttpd (Ubuntu Dapper):
status: Confirmed → Invalid
Scott Kitterman (kitterman) wrote :

Not for servers it isn't.

Changed in lighttpd (Ubuntu Dapper):
status: Invalid → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers