CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| lighttpd (Debian) |
Fix Released
|
Unknown
|
||
| lighttpd (Ubuntu) |
Undecided
|
Unassigned | ||
| Lucid |
Medium
|
Unassigned | ||
| Maverick |
Medium
|
Unassigned | ||
| Natty |
Medium
|
Unassigned | ||
| Oneiric |
Medium
|
Unassigned | ||
| Precise |
Undecided
|
Unassigned |
Bug Description
affects ubuntu/lighttpd
assignee udienz
status inprogress
security yes
private no
done
Description
DoS because of incorrect code in src/http_auth.c:67
References
http://
http://
Bugs
http://
Patches:
http://
visibility: | private → public |
Mahyuddin Susanto (udienz) wrote : Re: [Bug 906792] Re: CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67 | #1 |
Changed in lighttpd (Ubuntu): | |
assignee: | Mahyuddin Susanto (udienz) → nobody |
status: | In Progress → New |
Changed in lighttpd (Debian): | |
status: | Unknown → Fix Committed |
Changed in lighttpd (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in lighttpd (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in lighttpd (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in lighttpd (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in lighttpd (Ubuntu Precise): | |
status: | New → Confirmed |
Jamie Strandboge (jdstrand) wrote : | #2 |
Thanks for the debdiffs! Unfortunately, the do not apply (patching the series file fails on each). That was easy enough to fix and I reviewed the debdiffs against the upstream changes and they seem ok, so I am going to upload after fixing up the debdiff. How did you generate these? Did you test the patched packages? Also the upstream patches included updating the testsuite. It would have been best to integrate that into your patch.
Since the testsuite is enabled in the build, and it passes for all releases, so between the simplicity of the patch and the in build test suite, I'll upload.
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package lighttpd - 1.4.28-2ubuntu4
---------------
lighttpd (1.4.28-2ubuntu4) precise; urgency=low
* debian/
src/
- CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:32:22 +0700
Changed in lighttpd (Ubuntu Precise): | |
status: | Confirmed → Fix Released |
Jamie Strandboge (jdstrand) wrote : | #4 |
Uploaded to the security ppa. Unsubscribing ubuntu-
Changed in lighttpd (Ubuntu Lucid): | |
status: | Confirmed → Fix Committed |
importance: | Undecided → Medium |
Changed in lighttpd (Ubuntu Maverick): | |
status: | Confirmed → Fix Committed |
importance: | Undecided → Medium |
Changed in lighttpd (Ubuntu Natty): | |
status: | Confirmed → Fix Committed |
importance: | Undecided → Medium |
Changed in lighttpd (Ubuntu Oneiric): | |
status: | Confirmed → Fix Committed |
importance: | Undecided → Medium |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package lighttpd - 1.4.28-2ubuntu2.1
---------------
lighttpd (1.4.28-2ubuntu2.1) oneiric-security; urgency=low
* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
(LP: #906792)
- debian/
- CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:39 +0700
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package lighttpd - 1.4.28-2ubuntu1.1
---------------
lighttpd (1.4.28-2ubuntu1.1) natty-security; urgency=low
* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
(LP: #906792)
- debian/
- CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:09 +0700
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package lighttpd - 1.4.26-3ubuntu2.1
---------------
lighttpd (1.4.26-3ubuntu2.1) maverick-security; urgency=low
* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
(LP: #906792)
- debian/
- CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:35:38 +0700
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package lighttpd - 1.4.26-1.1ubuntu3.1
---------------
lighttpd (1.4.26-
* SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
(LP: #906792)
- debian/
- CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:34:44 +0700
Changed in lighttpd (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
Changed in lighttpd (Ubuntu Maverick): | |
status: | Fix Committed → Fix Released |
Changed in lighttpd (Ubuntu Natty): | |
status: | Fix Committed → Fix Released |
Changed in lighttpd (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
Changed in lighttpd (Debian): | |
status: | Fix Committed → Fix Released |
status new security- sponsors
assignee nobody
subscribe ubuntu-
tag patch
done
On 12/20/2011 04:40 PM, Mahyuddin Susanto wrote: www.cve. mitre.org/ cgi- cgi?name= 2011-4362
> ** CVE added: http://
> bin/cvename.
>
Attached debdiff for lucid, maverick, natty, oneiric and precise
--
Mahyuddin Susanto