CVE-2011-4362 DoS because of incorrect code in src/http_auth.c:67

 status new
 assignee nobody
 subscribe ubuntu-security-sponsors
 tag patch
 done

On 12/20/2011 04:40 PM, Mahyuddin Susanto wrote:
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2011-4362
>

Attached debdiff for lucid, maverick, natty, oneiric and precise
--
Mahyuddin Susanto

Thanks for the debdiffs! Unfortunately, the do not apply (patching the series file fails on each). That was easy enough to fix and I reviewed the debdiffs against the upstream changes and they seem ok, so I am going to upload after fixing up the debdiff. How did you generate these? Did you test the patched packages? Also the upstream patches included updating the testsuite. It would have been best to integrate that into your patch.

Since the testsuite is enabled in the build, and it passes for all releases, so between the simplicity of the patch and the in build test suite, I'll upload.

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu4

---------------
lighttpd (1.4.28-2ubuntu4) precise; urgency=low

  * debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in
    src/http_auth.c:67 (LP: #906792)
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:32:22 +0700

Uploaded to the security ppa. Unsubscribing ubuntu-security-sponsors.

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu2.1

---------------
lighttpd (1.4.28-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:39 +0700

This bug was fixed in the package lighttpd - 1.4.28-2ubuntu1.1

---------------
lighttpd (1.4.28-2ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:36:09 +0700

This bug was fixed in the package lighttpd - 1.4.26-3ubuntu2.1

---------------
lighttpd (1.4.26-3ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:35:38 +0700

This bug was fixed in the package lighttpd - 1.4.26-1.1ubuntu3.1

---------------
lighttpd (1.4.26-1.1ubuntu3.1) lucid-security; urgency=low

  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
    (LP: #906792)
    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
    - CVE-2011-4362
 -- Mahyuddin Susanto <email address hidden> Tue, 20 Dec 2011 17:34:44 +0700