new lighttpd security fixes

CVE-2008-1531 has been fixed again
the other three aren't tracked with CVE

all four security fixes have patches agains 1.4.19 alternatively.
they don't seem to be integrated yet.

Any news on this?

I'm unsetting this from being a duplicate of #209627

The other issue #209627 has been fixed on 2008-04-18, but the new issues are from September 30th, 2008 and still unfixed!

The new issues are the following CVEs:
- CVE-2008-4298
- CVE-2008-4359
- CVE-2008-4360

These bugs are already fixed in Debian packages. Is there any ETA on that? Hardy's package still seems to be affected.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityUpdateProcedures

I'm attaching debdiff for patched lighttpd package.

P.S. It's my first patch for .deb package so please tell me if there's anything wrong with it.

1.4.19-5 is not affected.

Marking Hardy task as 'In Progress' according to https://wiki.ubuntu.com/SecurityUpdateProcedures.

@Marcin: the patch looks pretty good. normally we explicitly describe the changes being made after the 'SECURITY UPDATE:' part of the changelog. Have you tested this package on hardy (does it continue to server pages correctly, for example)?

Hi,
I'm attaching new version of debdiff. Two changes there:

- Added brief notes about whats being fixed (if it's too short I can write something longer)
- Removed fix for CVE-2008-4359 from the patch list (patch is still there, it's just not applied) - it's known to cause regressions and it has been removed from vanillia lighttpd tree (http://redmine.lighttpd.net/issues/show/1720). I think it's better to leave it as is, rather than break working configurations.

And yes, I've tested it, it compiles and seems to be working.

Marking Hardy task as 'In Progress' according to https://wiki.ubuntu.com/SecurityUpdateProcedures. Please when submitting debdiffs, mark the corresponding task as 'In Progress'. This will help the security team track patches.

Marcin,

Thanks for your debdiff! I have uploaded the package to the security ppa, with two changes:
1. the version did not comply with https://wiki.ubuntu.com/SecurityUpdateProcedures, so I changed it
2. I removed the unapplied patch for CVE-2008-4359 to avoid confusion in the future.

This bug was fixed in the package lighttpd - 1.4.19-0ubuntu3.1

---------------
lighttpd (1.4.19-0ubuntu3.1) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #279490)
   + debian/patches/93_CVE-2008-4298.dpatch
    - Fix memory leak in request header handling
   + debian/patches/95_CVE-2008-4360.dpatch
    - Fix mod_userdir information disclosure
  * References
   + https://bugs.launchpad.net/bugs/cve/2008-4298
   + https://bugs.launchpad.net/bugs/cve/2008-4360

 -- Marcin Gibula <email address hidden> Wed, 04 Mar 2009 13:42:05 +0100

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Dapper Drake 6.06 reached End Of Life. Feel free to reopen, if you are affected by this bug.

Not for servers it isn't.