Debian Bug report logs - #434888
Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]

version graph

Package: lighttpd; Maintainer for lighttpd is Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>; Source for lighttpd is src:lighttpd.

Reported by: Adam Majer <adamm@zombino.com>

Date: Fri, 27 Jul 2007 14:15:01 UTC

Severity: critical

Tags: security

Fixed in version 1.4.16-1

Done: Pierre Habouzit <madcoder@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd. Full text and rfc822 format available.

Acknowledgement sent to Adam Majer <adamm@zombino.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Adam Majer <adamm@zombino.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
Date: Fri, 27 Jul 2007 09:11:48 -0500
Package: lighttpd
Severity: critical
Tags: security

Upstream patches from Trac seem to be available from upstream.

>From http://secunia.com/advisories/26130/

DESCRIPTION:
Some vulnerabilities have been reported in lighttpd, which can be
exploited by malicious people to bypass certain security restrictions
or cause a DoS (Denial of Service).

1) An error in the processing of HTTP headers can be exploited to
cause a DoS by sending duplicate HTTP headers with a trailing
whitespace character.

2) An error in mod_auth can be exploited to cause a DoS by sending
requests with the algorithm set to "MD5-sess" and without a cnonce.

3) An error when parsing Auth-Digest headers in mod_auth can
potentially be exploited to cause a DoS by sending multiple
whitespace characters.

4) An error exists in the mechanism that limits the number of active
connections. This can be exploited to cause a DoS.

5)  An error exists in the processing of HTTP requests. This can be
exploited to access restricted files by adding a "/" to an URL.

6) An error exists in mod_scgi. This can be exploited to cause a DoS
by sending a SCGI request and closing the connection while lighttpd
processes the request.

The vulnerabilities are reported in lighttpd-1.4.15. Previous
versions may also be affected.

SOLUTION:
Fixed in the developer branch.

1) http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869
2), 3)
http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875
4) http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
5) http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871
6) http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882

ORIGINAL ADVISORY:
1) http://trac.lighttpd.net/trac/ticket/1232
2, 3) http://trac.lighttpd.net/trac/changeset/1875
4) http://trac.lighttpd.net/trac/ticket/1216
5) http://trac.lighttpd.net/trac/ticket/1230
6) http://trac.lighttpd.net/trac/ticket/1263


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (5, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-rc1 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 434888@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 434888@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
Date: Fri, 27 Jul 2007 15:20:31 +0100
On Fri Jul 27, 2007 at 09:11:48 -0500, Adam Majer wrote:
> Package: lighttpd
> Severity: critical
> Tags: security
> 
> Upstream patches from Trac seem to be available from upstream.

  Still waiting on CVE IDs.  I can upload without them, but I'd
 rather not ..

Steve
-- 



Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Adam Majer <adamm@zombino.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 434888-done@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: 434888-done@bugs.debian.org
Subject: Re: [pkg-lighttpd] Bug#434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
Date: Fri, 27 Jul 2007 17:39:40 +0200
[Message part 1 (text/plain, inline)]
Version: 1.4.16-1

On Fri, Jul 27, 2007 at 09:11:48AM -0500, Adam Majer wrote:
> Package: lighttpd
> Severity: critical
> Tags: security
> 
> Upstream patches from Trac seem to be available from upstream.
> 
> >From http://secunia.com/advisories/26130/
> 
> DESCRIPTION:
> Some vulnerabilities have been reported in lighttpd, which can be
> exploited by malicious people to bypass certain security restrictions
> or cause a DoS (Denial of Service).
> 
> 1) An error in the processing of HTTP headers can be exploited to
> cause a DoS by sending duplicate HTTP headers with a trailing
> whitespace character.
> 
> 2) An error in mod_auth can be exploited to cause a DoS by sending
> requests with the algorithm set to "MD5-sess" and without a cnonce.
> 
> 3) An error when parsing Auth-Digest headers in mod_auth can
> potentially be exploited to cause a DoS by sending multiple
> whitespace characters.
> 
> 4) An error exists in the mechanism that limits the number of active
> connections. This can be exploited to cause a DoS.
> 
> 5)  An error exists in the processing of HTTP requests. This can be
> exploited to access restricted files by adding a "/" to an URL.
> 
> 6) An error exists in mod_scgi. This can be exploited to cause a DoS
> by sending a SCGI request and closing the connection while lighttpd
> processes the request.
> 
> The vulnerabilities are reported in lighttpd-1.4.15. Previous
> versions may also be affected.
> 
> SOLUTION:
> Fixed in the developer branch.
> 
> 1) http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869
> 2), 3)
> http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875
> 4) http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
> 5) http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871
> 6) http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
> 
> ORIGINAL ADVISORY:
> 1) http://trac.lighttpd.net/trac/ticket/1232
> 2, 3) http://trac.lighttpd.net/trac/changeset/1875
> 4) http://trac.lighttpd.net/trac/ticket/1216
> 5) http://trac.lighttpd.net/trac/ticket/1230
> 6) http://trac.lighttpd.net/trac/ticket/1263
> 
> 
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers unstable
>   APT policy: (900, 'unstable'), (5, 'experimental')
> Architecture: i386 (i686)
> 
> Kernel: Linux 2.6.22-rc1 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> 
> _______________________________________________
> pkg-lighttpd-maintainers mailing list
> pkg-lighttpd-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-lighttpd-maintainers

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd. Full text and rfc822 format available.

Acknowledgement sent to Adam Majer <adamm@zombino.com>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 434888@bugs.debian.org (full text, mbox):

From: Adam Majer <adamm@zombino.com>
To: 434888@bugs.debian.org
Subject: Re: Bug#434888 closed by Pierre Habouzit <madcoder@debian.org> (Re: [pkg-lighttpd] Bug#434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950])
Date: Fri, 27 Jul 2007 15:45:29 -0500
What about Etch?


Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> #434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950],
> which was filed against the lighttpd package.
> 
> It has been closed by Pierre Habouzit <madcoder@debian.org>.
> 
> Their explanation is attached below.  If this explanation is
> unsatisfactory and you have not received a better one in a separate
> message then please contact Pierre Habouzit <madcoder@debian.org> by replying
> to this email.
> 
> Debian bug tracking system administrator
> (administrator, Debian Bugs database)
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [pkg-lighttpd] Bug#434888: Multiple vulnerabilities [CVE-2007-3946] 
> [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
> From:
> Pierre Habouzit <madcoder@debian.org>
> Date:
> Fri, 27 Jul 2007 17:39:40 +0200
> To:
> 434888-done@bugs.debian.org
> 
> To:
> 434888-done@bugs.debian.org
> 
> 
> Version: 1.4.16-1
> 
> On Fri, Jul 27, 2007 at 09:11:48AM -0500, Adam Majer wrote:
>> Package: lighttpd
>> Severity: critical
>> Tags: security
>>
>> Upstream patches from Trac seem to be available from upstream.
>>
>> >From http://secunia.com/advisories/26130/
>>
>> DESCRIPTION:
>> Some vulnerabilities have been reported in lighttpd, which can be
>> exploited by malicious people to bypass certain security restrictions
>> or cause a DoS (Denial of Service).
>>
>> 1) An error in the processing of HTTP headers can be exploited to
>> cause a DoS by sending duplicate HTTP headers with a trailing
>> whitespace character.
>>
>> 2) An error in mod_auth can be exploited to cause a DoS by sending
>> requests with the algorithm set to "MD5-sess" and without a cnonce.
>>
>> 3) An error when parsing Auth-Digest headers in mod_auth can
>> potentially be exploited to cause a DoS by sending multiple
>> whitespace characters.
>>
>> 4) An error exists in the mechanism that limits the number of active
>> connections. This can be exploited to cause a DoS.
>>
>> 5)  An error exists in the processing of HTTP requests. This can be
>> exploited to access restricted files by adding a "/" to an URL.
>>
>> 6) An error exists in mod_scgi. This can be exploited to cause a DoS
>> by sending a SCGI request and closing the connection while lighttpd
>> processes the request.
>>
>> The vulnerabilities are reported in lighttpd-1.4.15. Previous
>> versions may also be affected.
>>
>> SOLUTION:
>> Fixed in the developer branch.
>>
>> 1) http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869
>> 2), 3)
>> http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875
>> 4) http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873
>> 5) http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871
>> 6) http://trac.lighttpd.net/trac/changeset/1882?format=diff&new=1882
>>
>> ORIGINAL ADVISORY:
>> 1) http://trac.lighttpd.net/trac/ticket/1232
>> 2, 3) http://trac.lighttpd.net/trac/changeset/1875
>> 4) http://trac.lighttpd.net/trac/ticket/1216
>> 5) http://trac.lighttpd.net/trac/ticket/1230
>> 6) http://trac.lighttpd.net/trac/ticket/1263
>>
>>
>> -- System Information:
>> Debian Release: lenny/sid
>>   APT prefers unstable
>>   APT policy: (900, 'unstable'), (5, 'experimental')
>> Architecture: i386 (i686)
>>
>> Kernel: Linux 2.6.22-rc1 (SMP w/2 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/bash
>>
>>
>> _______________________________________________
>> pkg-lighttpd-maintainers mailing list
>> pkg-lighttpd-maintainers@lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/pkg-lighttpd-maintainers
> 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#434888; Package lighttpd. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 434888@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Mailling list for pkg-lighttpd maintaining <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Cc: 434888@bugs.debian.org
Subject: Re: [pkg-lighttpd] Bug#434888: closed by Pierre Habouzit <madcoder@debian.org> (Re: Bug#434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950])
Date: Sat, 28 Jul 2007 10:15:45 +0200
[Message part 1 (text/plain, inline)]
On Fri, Jul 27, 2007 at 03:45:29PM -0500, Adam Majer wrote:
> What about Etch?

  this was a versionned close, that affects unstable. The security team
(like you could have read at least 3 or 4 times in the BTS if you really
cared) is already working on an upload, and are waiting for the
remaining CVEs to upload.

  IOW: be patient.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 05 Sep 2007 07:34:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 15:54:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.