Bug #906792 “CVE-2011-4362 DoS because of incorrect code in src/...” : Bugs : lighttpd package : Ubuntu

Mahyuddin Susanto (udienz) on 2011-12-20

visibility:

private → public

Mahyuddin Susanto (udienz) wrote on 2011-12-20: Re: [Bug 906792] Re: CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67

#1

lighttpd_lucid-security.debdiff Edit (1.7 KiB, text/plain; name="lighttpd_lucid-security.debdiff")
lighttpd_maverick-security.debdiff Edit (2.1 KiB, text/plain; name="lighttpd_maverick-security.debdiff")
lighttpd_natty-security.debdiff Edit (2.0 KiB, text/plain; name="lighttpd_natty-security.debdiff")
lighttpd_oneiric-security.debdiff Edit (2.0 KiB, text/plain; name="lighttpd_oneiric-security.debdiff")
lighttpd_precise.debdiff Edit (1.9 KiB, text/plain; name="lighttpd_precise.debdiff")

status new
assignee nobody
subscribe ubuntu-security-sponsors
tag patch
done

On 12/20/2011 04:40 PM, Mahyuddin Susanto wrote:
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2011-4362
>

Attached debdiff for lucid, maverick, natty, oneiric and precise
--
Mahyuddin Susanto

Changed in lighttpd (Ubuntu):
assignee:	Mahyuddin Susanto (udienz) → nobody
status:	In Progress → New

Bug Watch Updater (bug-watch-updater) on 2011-12-20

Changed in lighttpd (Debian):
status:	Unknown → Fix Committed

Jamie Strandboge (jdstrand) on 2011-12-20

Changed in lighttpd (Ubuntu Lucid):
status:	New → Confirmed
Changed in lighttpd (Ubuntu Maverick):
status:	New → Confirmed
Changed in lighttpd (Ubuntu Natty):
status:	New → Confirmed
Changed in lighttpd (Ubuntu Oneiric):
status:	New → Confirmed
Changed in lighttpd (Ubuntu Precise):
status:	New → Confirmed

Jamie Strandboge (jdstrand) wrote on 2011-12-20:

#2

Thanks for the debdiffs! Unfortunately, the do not apply (patching the series file fails on each). That was easy enough to fix and I reviewed the debdiffs against the upstream changes and they seem ok, so I am going to upload after fixing up the debdiff. How did you generate these? Did you test the patched packages? Also the upstream patches included updating the testsuite. It would have been best to integrate that into your patch.

Since the testsuite is enabled in the build, and it passes for all releases, so between the simplicity of the patch and the in build test suite, I'll upload.

Launchpad Janitor (janitor) wrote on 2011-12-20:

#3

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu4

---------------
lighttpd (1.4.28-2ubuntu4) precise; urgency=low

  * debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in
    src/http_auth.c:67 (LP: #906792)
    - CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:32:22 +0700

Changed in lighttpd (Ubuntu Precise):
status:	Confirmed → Fix Released

Jamie Strandboge (jdstrand) wrote on 2011-12-20:

#4

Uploaded to the security ppa. Unsubscribing ubuntu-security-sponsors.

Changed in lighttpd (Ubuntu Lucid):
status:	Confirmed → Fix Committed
importance:	Undecided → Medium
Changed in lighttpd (Ubuntu Maverick):
status:	Confirmed → Fix Committed
importance:	Undecided → Medium
Changed in lighttpd (Ubuntu Natty):
status:	Confirmed → Fix Committed
importance:	Undecided → Medium
Changed in lighttpd (Ubuntu Oneiric):
status:	Confirmed → Fix Committed
importance:	Undecided → Medium

Launchpad Janitor (janitor) wrote on 2011-12-20:

#5

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu2.1

---------------
lighttpd (1.4.28-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:39 +0700

Launchpad Janitor (janitor) wrote on 2011-12-20:

#6

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu1.1

---------------
lighttpd (1.4.28-2ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:09 +0700

Launchpad Janitor (janitor) wrote on 2011-12-20:

#7

This bug was fixed in the package lighttpd - 1.4.26-3ubuntu2.1

---------------
lighttpd (1.4.26-3ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:35:38 +0700

Launchpad Janitor (janitor) wrote on 2011-12-20:

#8

This bug was fixed in the package lighttpd - 1.4.26-1.1ubuntu3.1

---------------
lighttpd (1.4.26-1.1ubuntu3.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
-- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:34:44 +0700

Changed in lighttpd (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in lighttpd (Ubuntu Maverick):
status:	Fix Committed → Fix Released
Changed in lighttpd (Ubuntu Natty):
status:	Fix Committed → Fix Released
Changed in lighttpd (Ubuntu Oneiric):
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-12-21

Changed in lighttpd (Debian):
status:	Fix Committed → Fix Released

Ubuntu
lighttpd package

CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67

Bug Description

Related branches

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntulighttpd package

CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67

Bug Description

Related branches

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
lighttpd package