CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67

Bug #906792 reported by Mahyuddin Susanto on 2011-12-20
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Debian)
Fix Released
Unknown
lighttpd (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Undecided
Unassigned

Bug Description

 affects ubuntu/lighttpd
 assignee udienz
 status inprogress
 security yes
 private no
 done

Description
DoS because of incorrect code in src/http_auth.c:67

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4362
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt

Bugs
http://redmine.lighttpd.net/issues/2370

Patches:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt

visibility: private → public

 status new
 assignee nobody
 subscribe ubuntu-security-sponsors
 tag patch
 done

On 12/20/2011 04:40 PM, Mahyuddin Susanto wrote:
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2011-4362
>

Attached debdiff for lucid, maverick, natty, oneiric and precise
--
Mahyuddin Susanto

Changed in lighttpd (Ubuntu):
assignee: Mahyuddin Susanto (udienz) → nobody
status: In Progress → New
Changed in lighttpd (Debian):
status: Unknown → Fix Committed
Changed in lighttpd (Ubuntu Lucid):
status: New → Confirmed
Changed in lighttpd (Ubuntu Maverick):
status: New → Confirmed
Changed in lighttpd (Ubuntu Natty):
status: New → Confirmed
Changed in lighttpd (Ubuntu Oneiric):
status: New → Confirmed
Changed in lighttpd (Ubuntu Precise):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! Unfortunately, the do not apply (patching the series file fails on each). That was easy enough to fix and I reviewed the debdiffs against the upstream changes and they seem ok, so I am going to upload after fixing up the debdiff. How did you generate these? Did you test the patched packages? Also the upstream patches included updating the testsuite. It would have been best to integrate that into your patch.

Since the testsuite is enabled in the build, and it passes for all releases, so between the simplicity of the patch and the in build test suite, I'll upload.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu4

---------------
lighttpd (1.4.28-2ubuntu4) precise; urgency=low

  * debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in
    src/http_auth.c:67 (LP: #906792)
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:32:22 +0700

Changed in lighttpd (Ubuntu Precise):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Uploaded to the security ppa. Unsubscribing ubuntu-security-sponsors.

Changed in lighttpd (Ubuntu Lucid):
status: Confirmed → Fix Committed
importance: Undecided → Medium
Changed in lighttpd (Ubuntu Maverick):
status: Confirmed → Fix Committed
importance: Undecided → Medium
Changed in lighttpd (Ubuntu Natty):
status: Confirmed → Fix Committed
importance: Undecided → Medium
Changed in lighttpd (Ubuntu Oneiric):
status: Confirmed → Fix Committed
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu2.1

---------------
lighttpd (1.4.28-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:39 +0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu1.1

---------------
lighttpd (1.4.28-2ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:09 +0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.26-3ubuntu2.1

---------------
lighttpd (1.4.26-3ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:35:38 +0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.26-1.1ubuntu3.1

---------------
lighttpd (1.4.26-1.1ubuntu3.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:34:44 +0700

Changed in lighttpd (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in lighttpd (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in lighttpd (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in lighttpd (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in lighttpd (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.