New upstream 1.4.26, fixes CVE-2010-0295

Bug #521659 reported by Stefan Bühler on 2010-02-14
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
High
Andres Rodriguez
Hardy
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned

Bug Description

Binary package hint: lighttpd

New upstream package available, fixes a OOM/DoS vulnerability

- http://www.lighttpd.net/2010/2/7/1-4-26-chinese-dragon
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt

I think it is a shame that neither the Ubuntu Security Team nor the ubuntu lighttpd maintainers saw this.

Related branches

CVE References

visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in lighttpd (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Rodrigo Campos (rodrigocc) wrote :

I've built lighttpd 1.4.26 from debian in karmic and published it in this ppa in case someone else needs it too:

https://edge.launchpad.net/~rodrigocc/+archive/lighttpd

I think you can find the debdiff there too.

Thanks a lot,
Rodrigo

Jamie Strandboge (jdstrand) wrote :

Rodrigo, that debdiff cannot be used because the current version of lighttpd in Ubuntu 9.10 (Karmic) is 1.4.22-1ubuntu4. The security fixes need to be backported to this version (see https://wiki.ubuntu.com/StableReleaseUpdates for details on this policy).

On Mon, Mar 01, 2010 at 02:24:58PM -0000, Jamie Strandboge wrote:
> Rodrigo, that debdiff cannot be used because the current version of
> lighttpd in Ubuntu 9.10 (Karmic) is 1.4.22-1ubuntu4. The security fixes
> need to be backported to this version (see
> https://wiki.ubuntu.com/StableReleaseUpdates for details on this
> policy).

Ohh, makes sense.

I'm not sure I will try to backport it since I'm not sure I'm going to have time
during the weekend and, also, I dont need 1.4.22-1ubuntu4 + the oom fix. I need
1.4.26 (or to backport more fixes). But I will try to look at it :)

Thanks a lot,
Rodrigo

Adrian Almenar (aalmenar) wrote :

This should be updated from debian testing since it has a a real security bug.

Daniel Hahler (blueyed) on 2010-03-07
Changed in lighttpd (Ubuntu):
status: Confirmed → Triaged
importance: Medium → High
Changed in lighttpd (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Andres Rodriguez (andreserl)
Andres Rodriguez (andreserl) wrote :

I'm currently working on merging lighttpd 1.4.26 from debian. Once I'm finished and it gets accepted into Ubuntu I'll request the backport.

Cheers

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.26-1.1ubuntu1

---------------
lighttpd (1.4.26-1.1ubuntu1) lucid; urgency=low

  * Merge from debian unstable (LP: #407722). Remaining changes:
    - debian/control: libgamin-dev rather than libfam-dev to fix startup
      warning.
    - debian/init.d: clean environment; Check syntax during start/reload
      restart/force-reload.
    - debian/index.html: s/Debian/Ubuntu/g branding on the default page.
    - Added a UFW profile set:
      + debian/lighttpd.dirs: added etc/ufw/applications.d
      + debian/rules: install the ufw profile.
      + debian/control: Suggests on ufw.
    - Add lighttpd-dev package:
      + debian/control: Added lighttpd-dev package; Build-depends on
        automake, libtool
      + debian/lighttpd-dev.install: Added.
  * debian/control: debhelper Build-depends bumped to (>= 7.0.50) for
    overrides in rules file.
  * debian/rules:
    - Add override_dh_installinit to set "defaults 91 09" to not start
      before apache2 but in the same runlevel with the same priority.
  * debian/patches/build-dev-package.patch: Updated
  * Also closes: (LP: #521659, LP: #523682)

lighttpd (1.4.26-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Apply upstream patch to fix openssl (closes: #572031)

lighttpd (1.4.26-1) unstable; urgency=low

  * New upstream release (closes: #568735)
  * Use provided patch from Andres Rodriguez <email address hidden>
    to implement status action in init.d script (closes: #539955)

lighttpd (1.4.25-2) unstable; urgency=low

  * Change behaviour of use-ipv6.pl script (closes: #560837)

lighttpd (1.4.25-1) unstable; urgency=low

  * New upstream release (closes: #558045)
  * debian/watch: updated
  * debian/control: Section field changed to web

lighttpd (1.4.24-1) unstable; urgency=low

  * New upstream release (closes: #530892) (closes: #538135) (closes: #482601)
    (closes: #541428)
  * debian/control:
   + Standards-Version: 3.8.3
  * debian/init.d renamed to debian/lighttpd.init
  * Added $syslog to LSB header in init script (closes: #545576)
    (Jeremy Lal <email address hidden>)
  * debian/init.d: force-reload moved to reload section (closes: #538661)
    (Peter Eisentraut <email address hidden>)

lighttpd (1.4.23-3) unstable; urgency=low

  * debian/rules: make sure that scripts have proper rights
   (closes: #536668), (closes: #536681), (closes: #536688) (closes: #536668)

lighttpd (1.4.23-2) unstable; urgency=low

  * Add lighttpd.docs with README & NEWS file
  * New upstream closes wishlist bugs (closes: #535065) (closes: #515777)

lighttpd (1.4.23-1) unstable; urgency=low

  * New upstream release
  * spawn-fcgi is now separate package, recommends it debian/control
  * Update Standards-Version to 3.8.2 without changes
  * Remove cdbs, patchutils from Build-Depends, debian/rules uses
    debhelper 7 scripts
  * lighttpd.logrotate apply patch (closes: #535523)
    from Ubuntu (Daniel Hahler, https://launchpad.net/bugs/393792)
 -- Andres Rodriguez <email address hidden> Sat, 27 Mar 2010 15:53:32 -0400

Changed in lighttpd (Ubuntu):
status: In Progress → Fix Released
Artur Rona (ari-tczew) wrote :

Jaunty is End Of Life.

Changed in lighttpd (Ubuntu Jaunty):
status: New → Won't Fix

The package is missing from Hardy 8.04.x, which means all servers running lighttpd and installing updates are still not secure.

Scott Kitterman (kitterman) wrote :

Wontfix for Karmic due to EOL. Looks like it just needs fixing in Hardy

Changed in lighttpd (Ubuntu Karmic):
status: New → Won't Fix

Scott,

What is the ETA for a new Hardy package? Days, weeks, months? Thanks for any help you can give.

Regards.

Scott Kitterman (kitterman) wrote :

It needs someone to volunteer to work on it.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in lighttpd (Ubuntu Hardy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers