Debian Bug report logs - #652726
CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67

version graph

Package: src:lighttpd; Maintainer for src:lighttpd is Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>;

Reported by: Mahyuddin Susanto <udienz@ubuntu.com>

Date: Tue, 20 Dec 2011 10:12:23 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Fixed in version lighttpd/1.4.30-1

Done: Arno Töll <debian@toell.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#652726; Package src:lighttpd. (Tue, 20 Dec 2011 10:12:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mahyuddin Susanto <udienz@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>.

Your message had a Version: pseudo-header with an invalid package version:

1.4.29-1, 1.4.28-2, 1.4.19-5+lenny2

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Tue, 20 Dec 2011 10:12:30 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mahyuddin Susanto <udienz@ubuntu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67
Date: Tue, 20 Dec 2011 17:10:08 +0700
Source: lighttpd
Version: 1.4.29-1, 1.4.28-2, 1.4.19-5+lenny2
Severity: grave
Tags: security upstream fixed-upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

Security bug has been discovered in lighttpd:
DoS because of incorrect code in src/http_auth.c:67

This is CVE-2011-4362. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4362
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4362

Upstream bug:
http://redmine.lighttpd.net/issues/2370

Upstream has providing patch:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt

Would you please fixed packages for lenny and squeeze?

- -- System Information:
Debian Release: wheezy/sid
  APT prefers experimental
  APT policy: (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO8F8AAAoJELmHbrCQs2xbxrwQAJ3Po5x92JYCCEtizufW3vDr
VCYJn86vuWXrn1h501SRljbALepDijJHjMXNHPZsavs4h6IDMoLaFYBWrfS97yLy
x1QetOxraG5Oso++LGItGi477W4W7KQf8UlO6TvRDBk+ccupS9MQrQYOZRYUcLvs
owgGOoM9N/z0TxxQmL8vHZtgOUeX8inFS2absB2lfZNRX8W56sLgVDRqhODMB2a7
+HqFvQgTDELi6ccYc51bZRNMO/2vHDE4ISowXeiDavrMbpLEqUwgxnItz9Cd4epj
WW9x43+SwEEwal8NObEAyv1qyhTfNaJWuR23wbn/Fd8pXPJ/3NTmyR+JamfRDzn8
jOy6b3LUVxQEjqY3QvDHOGLgFJFn8NXSm0Xd1Wb8th9UgnTJxSka5rysOs2+OV4c
LcXGXwbNV23H7x+n3aCYsuIyczhhqPO6zjFbi0saEWjSEkxD3Mf2My2Q3LKFH+fH
sVzolQSwLfMrqgxMO/tVKpV4gqQLIl/R5x7Qe3SPKoflEBovmjTVD3bqqGeP4+6b
EUz+pxphC4ruWPbOQkcFPBT7TpAwBHxHQjMebSSeOtpoLgtRhBq1TlKKGmvSSUmL
LYo7e5zFEIEmUETkRu3WlkSp8sMybza6SHlQNLkZKdh7xfTu1MpvWURe67P7zLGj
YV58hUsZzLxO4N5Q6oY5
=g3I9
-----END PGP SIGNATURE-----




Added tag(s) pending. Request was from Arno Töll <debian@toell.net> to control@bugs.debian.org. (Tue, 20 Dec 2011 10:18:55 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#652726; Package src:lighttpd. (Tue, 20 Dec 2011 10:39:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arno Töll <debian@toell.net>:
Extra info received and forwarded to list. Copy sent to Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Tue, 20 Dec 2011 10:39:14 GMT) Full text and rfc822 format available.

Message #12 received at 652726@bugs.debian.org (full text, mbox):

From: Arno Töll <debian@toell.net>
To: 652726@bugs.debian.org
Subject: Fwd: Re: Bug#652726: CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67
Date: Tue, 20 Dec 2011 11:34:35 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mahyuddin,

On 20.12.2011 11:10, Mahyuddin Susanto wrote:
> Security bug has been discovered in lighttpd:
> DoS because of incorrect code in src/http_auth.c:67

we already prepared an updated version and backported the fixes to
Stable and Oldstable. A DSA denoting updated packages is due later today.



- -- 
with kind regards, Arno Töll
IRC: daemonkeeper on Freenode/OFTC GnuPG
Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO8GS7AAoJEMcrUe6dgPNtv2cQAL/mgIYzgrrvkTNrlPfxX5Oe
DFLrkM4Nnoms2ZRGq2i4tRdLconBui7G/2F3uVswxq+s6QJg/hbvAy1MGyZX1JEn
2Pr+3e4kNVTU30xYNs1L5XiS3Ut8hAPNTsGiPPTh1fQgEwur0QHMnvkz+An44T1x
LufQdRSNO0nSY/00pJL52A2gpgMLzllgNrio66ByCQhaJp/d72FzVPgxWLkMD4Jc
wfiowMZZln/ycF/rURt/UT4Q7Ruc/NWrdg15lyowbyUgEtUtGZMlo8LR8+eML9H1
Zo/qrYK+9u8fU8TOwfH2cuQRVqxiNahncNk0sYfrsZlHmNdBvFmVI3igNeolmSnF
SEJdk+SDvY3T9/WUpvNsIm2htzKyniK4Pj0OZBvtd6lHD9ElIdXo0SV9qjTqS3di
zmwpp72q/ah91oeL2YP0OB8Uya8Yrsm0Yr4tzh1P7ou2gTVJhqiTTA3ETUOb0pzD
+kHG58n2qRAcV2grJlmK0O2daRAAazqugWO+IO8o1vB5iQvJkmtUd2N0O+IOdY2y
GbsC9hXU7d3R10pq7FvhR2iwqlKFE/o9ppkNLWKQQHpGDKBCNySJ1oSDifA9lTHE
B8xo1D9SdcHDyEfnBxruBUUVSMIwY4Xm6bxCSZU++vVvezozcv0aicNR9AEwmmJr
EgXYW3UHPoJ9PvOVhBuy
=YNzq
-----END PGP SIGNATURE-----




Reply sent to Arno Töll <debian@toell.net>:
You have taken responsibility. (Tue, 20 Dec 2011 20:54:08 GMT) Full text and rfc822 format available.

Notification sent to Mahyuddin Susanto <udienz@ubuntu.com>:
Bug acknowledged by developer. (Tue, 20 Dec 2011 20:54:08 GMT) Full text and rfc822 format available.

Message #17 received at 652726-close@bugs.debian.org (full text, mbox):

From: Arno Töll <debian@toell.net>
To: 652726-close@bugs.debian.org
Subject: Bug#652726: fixed in lighttpd 1.4.30-1
Date: Tue, 20 Dec 2011 20:50:11 +0000
Source: lighttpd
Source-Version: 1.4.30-1

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:

lighttpd-doc_1.4.30-1_all.deb
  to main/l/lighttpd/lighttpd-doc_1.4.30-1_all.deb
lighttpd-mod-cml_1.4.30-1_amd64.deb
  to main/l/lighttpd/lighttpd-mod-cml_1.4.30-1_amd64.deb
lighttpd-mod-magnet_1.4.30-1_amd64.deb
  to main/l/lighttpd/lighttpd-mod-magnet_1.4.30-1_amd64.deb
lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
  to main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
  to main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
lighttpd-mod-webdav_1.4.30-1_amd64.deb
  to main/l/lighttpd/lighttpd-mod-webdav_1.4.30-1_amd64.deb
lighttpd_1.4.30-1.debian.tar.gz
  to main/l/lighttpd/lighttpd_1.4.30-1.debian.tar.gz
lighttpd_1.4.30-1.dsc
  to main/l/lighttpd/lighttpd_1.4.30-1.dsc
lighttpd_1.4.30-1_amd64.deb
  to main/l/lighttpd/lighttpd_1.4.30-1_amd64.deb
lighttpd_1.4.30.orig.tar.gz
  to main/l/lighttpd/lighttpd_1.4.30.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arno Töll <debian@toell.net> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 Dec 2011 11:36:09 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.30-1
Distribution: unstable
Urgency: medium
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Arno Töll <debian@toell.net>
Description: 
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 642494 652442 652726
Changes: 
 lighttpd (1.4.30-1) unstable; urgency=medium
 .
   * New upstream release
     + Fix integer overflow (CVE-2011-4362) (Closes: #652726)
     + Fix attack vector as disclosed by the SSL BEAST attack (related:
       CVE-2011-3389). Note: If you are upgrading from an older version you need
       to change your configuration to mitigate effects of the attack. See the
       corresponding NEWS file for details.
     + Count SSL renegotiations to prevent client renegotiations
   * Urgency set to medium due to security updates.
   * Adapt to dpkg 1.16.1 API changes regarding build flags. This enables
     hardening build flags. This means, lighttpd is now being built with
     -fstack-protector and other security related build flags.
   * Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are
     properly supported. That's guaranteed for Testing, but might be helpful to
     know for backporters.
   * Fix "Doesn't remove /etc/lighttpd on purge" by removing dangling symlinks
     /only/. This does not entirely fix the problem of the maintainer, but we can
     not simply remove all files in /etc/lighttpd as other packages or the user
     himself might have left configuration files back (Closes: #642494)
   * Fix "please include systemd service file" Support systemd as alternative to
     sysvinit, ship systemd and tempfiles.d configuration files. Thanks to
     Michael Stapelberg for providing the required files (Closes: #652442)
Checksums-Sha1: 
 25e55ae7ab00195a6f5855f8b02a6bbc919b835a 2021 lighttpd_1.4.30-1.dsc
 4a59c237fe62b06365aecb3ad4139b8593a21829 834241 lighttpd_1.4.30.orig.tar.gz
 9c99522ac226e32eace526ed355ace702f929c12 26429 lighttpd_1.4.30-1.debian.tar.gz
 bcd077ec390a1845559a23b9b0447060ccd5067f 301500 lighttpd_1.4.30-1_amd64.deb
 e6eb2332ed524c052d807388cc903a6efcc3dd1d 63030 lighttpd-doc_1.4.30-1_all.deb
 98c95277a9cd91dc669a07794b14035dc3a5d2d8 19014 lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
 ea89364a5c1e4818a498b12613643ac104289af0 20686 lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
 48a946444101605cc5b6d6a123cfdf40407c162c 23872 lighttpd-mod-cml_1.4.30-1_amd64.deb
 747c714113b658a34ffd1789d9b7494454d4aee2 25100 lighttpd-mod-magnet_1.4.30-1_amd64.deb
 ce0bb4d29bfed4a22b8259fa3cb77d05b46da6ee 31358 lighttpd-mod-webdav_1.4.30-1_amd64.deb
Checksums-Sha256: 
 d478233c041d95a065710addc72c9cec7f64280806fe9e374c31a2f32870df94 2021 lighttpd_1.4.30-1.dsc
 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b 834241 lighttpd_1.4.30.orig.tar.gz
 099a6c3023a8b36e9fcf23b74c241a6a82c745e4fcc55342055f9afa04d2c0da 26429 lighttpd_1.4.30-1.debian.tar.gz
 cb28a965e8a1b05dd252d1f97944243207a8dde280889c7e9fd913673ae27ee9 301500 lighttpd_1.4.30-1_amd64.deb
 e48ebe6760b1ba9d3fc669da8f5f7ce6345a1737eb3e791de9964decfa7fcd69 63030 lighttpd-doc_1.4.30-1_all.deb
 d60dae9f7ebc0732cab30d058d49444e5c911539767979d07912483960066dd7 19014 lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
 7446458aa023c31dba3d1747de83a30984a39606998d06ee876bfa4d6bb47f00 20686 lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
 5599c32fc1f783f84fc68e4ba7451eee7787436ff6cedc8159fa784a23cbd334 23872 lighttpd-mod-cml_1.4.30-1_amd64.deb
 de04387a8b4810695e77bf337b92f71c913bc297b95260ae4c8e10370d176197 25100 lighttpd-mod-magnet_1.4.30-1_amd64.deb
 88656c99fc37bd524c2053e2fbd7d6db0ce1e93f891fe4401e5683653a0788dd 31358 lighttpd-mod-webdav_1.4.30-1_amd64.deb
Files: 
 025d6446ceb1f654f56fd33700482c8e 2021 httpd optional lighttpd_1.4.30-1.dsc
 7f0bbb66a05099f634ea8f63af99cfed 834241 httpd optional lighttpd_1.4.30.orig.tar.gz
 cc484f3f504c6aaf3bf934e3553d6329 26429 httpd optional lighttpd_1.4.30-1.debian.tar.gz
 ce72c9d945b1876b7c84bb92c9f32ca7 301500 httpd optional lighttpd_1.4.30-1_amd64.deb
 3dbd1826a4d630a2724c7794517a5df7 63030 doc optional lighttpd-doc_1.4.30-1_all.deb
 6a21d70ad8343213f11f28228432e66c 19014 httpd optional lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
 bf49a05a75e0568ad85179b74670d058 20686 httpd optional lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
 f1d66686ab9c0f68c74e062ea09b9fe9 23872 httpd optional lighttpd-mod-cml_1.4.30-1_amd64.deb
 96d31e3557a1b4bc23e129cb47f61957 25100 httpd optional lighttpd-mod-magnet_1.4.30-1_amd64.deb
 0660ffdd2e1eb69fbb487b49c6ce8703 31358 httpd optional lighttpd-mod-webdav_1.4.30-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk7w7DAACgkQHYflSXNkfP8G2gCbBXoTM3KXS9puD/C+slFGPJi+
Q9EAoLSJ3fM/Q5fPr/NnFLpplX/s8f5J
=W4o7
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Jan 2012 07:34:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:41:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.