New upstream 1.4.26, fixes CVE-2010-0295

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I've built lighttpd 1.4.26 from debian in karmic and published it in this ppa in case someone else needs it too:

https://edge.launchpad.net/~rodrigocc/+archive/lighttpd

I think you can find the debdiff there too.

Thanks a lot,
Rodrigo

Rodrigo, that debdiff cannot be used because the current version of lighttpd in Ubuntu 9.10 (Karmic) is 1.4.22-1ubuntu4. The security fixes need to be backported to this version (see https://wiki.ubuntu.com/StableReleaseUpdates for details on this policy).

On Mon, Mar 01, 2010 at 02:24:58PM -0000, Jamie Strandboge wrote:
> Rodrigo, that debdiff cannot be used because the current version of
> lighttpd in Ubuntu 9.10 (Karmic) is 1.4.22-1ubuntu4. The security fixes
> need to be backported to this version (see
> https://wiki.ubuntu.com/StableReleaseUpdates for details on this
> policy).

Ohh, makes sense.

I'm not sure I will try to backport it since I'm not sure I'm going to have time
during the weekend and, also, I dont need 1.4.22-1ubuntu4 + the oom fix. I need
1.4.26 (or to backport more fixes). But I will try to look at it :)

Thanks a lot,
Rodrigo

This should be updated from debian testing since it has a a real security bug.

I'm currently working on merging lighttpd 1.4.26 from debian. Once I'm finished and it gets accepted into Ubuntu I'll request the backport.

Cheers

This bug was fixed in the package lighttpd - 1.4.26-1.1ubuntu1

---------------
lighttpd (1.4.26-1.1ubuntu1) lucid; urgency=low

  * Merge from debian unstable (LP: #407722). Remaining changes:
    - debian/control: libgamin-dev rather than libfam-dev to fix startup
      warning.
    - debian/init.d: clean environment; Check syntax during start/reload
      restart/force-reload.
    - debian/index.html: s/Debian/Ubuntu/g branding on the default page.
    - Added a UFW profile set:
      + debian/lighttpd.dirs: added etc/ufw/applications.d
      + debian/rules: install the ufw profile.
      + debian/control: Suggests on ufw.
    - Add lighttpd-dev package:
      + debian/control: Added lighttpd-dev package; Build-depends on
        automake, libtool
      + debian/lighttpd-dev.install: Added.
  * debian/control: debhelper Build-depends bumped to (>= 7.0.50) for
    overrides in rules file.
  * debian/rules:
    - Add override_dh_installinit to set "defaults 91 09" to not start
      before apache2 but in the same runlevel with the same priority.
  * debian/patches/build-dev-package.patch: Updated
  * Also closes: (LP: #521659, LP: #523682)

lighttpd (1.4.26-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Apply upstream patch to fix openssl (closes: #572031)

lighttpd (1.4.26-1) unstable; urgency=low

  * New upstream release (closes: #568735)
  * Use provided patch from Andres Rodriguez <email address hidden>
    to implement status action in init.d script (closes: #539955)

lighttpd (1.4.25-2) unstable; urgency=low

  * Change behaviour of use-ipv6.pl script (closes: #560837)

lighttpd (1.4.25-1) unstable; urgency=low

  * New upstream release (closes: #558045)
  * debian/watch: updated
  * debian/control: Section field changed to web

lighttpd (1.4.24-1) unstable; urgency=low

  * New upstream release (closes: #530892) (closes: #538135) (closes: #482601)
    (closes: #541428)
  * debian/control:
   + Standards-Version: 3.8.3
  * debian/init.d renamed to debian/lighttpd.init
  * Added $syslog to LSB header in init script (closes: #545576)
    (Jeremy Lal <email address hidden>)
  * debian/init.d: force-reload moved to reload section (closes: #538661)
    (Peter Eisentraut <email address hidden>)

lighttpd (1.4.23-3) unstable; urgency=low

  * debian/rules: make sure that scripts have proper rights
   (closes: #536668), (closes: #536681), (closes: #536688) (closes: #536668)

lighttpd (1.4.23-2) unstable; urgency=low

  * Add lighttpd.docs with README & NEWS file
  * New upstream closes wishlist bugs (closes: #535065) (closes: #515777)

lighttpd (1.4.23-1) unstable; urgency=low

  * New upstream release
  * spawn-fcgi is now separate package, recommends it debian/control
  * Update Standards-Version to 3.8.2 without changes
  * Remove cdbs, patchutils from Build-Depends, debian/rules uses
    debhelper 7 scripts
  * lighttpd.logrotate apply patch (closes: #535523)
    from Ubuntu (Daniel Hahler, https://launchpad.net/bugs/393792)
 -- Andres Rodriguez <email address hidden> Sat, 27 Mar 2010 15:53:32 -0400

Jaunty is End Of Life.

The package is missing from Hardy 8.04.x, which means all servers running lighttpd and installing updates are still not secure.

Wontfix for Karmic due to EOL. Looks like it just needs fixing in Hardy

Scott,

What is the ETA for a new Hardy package? Days, weeks, months? Thanks for any help you can give.

Regards.

It needs someone to volunteer to work on it.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.