Your message dated Sun, 13 Apr 2008 11:32:13 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#475438: fixed in lighttpd 1.4.19-2
has caused the Debian Bug report #475438,
regarding lighttpd: CVE-2008-1531 SSL connection loss can be triggered by SSL
errors
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
475438: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475438
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: lighttpd
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lighttpd.
CVE-2008-1531[0]:
| lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
| of service (active SSL connection loss) by triggering an SSL error,
| such as disconnecting before a download has finished, which causes all
| active SSL connections to be lost.
Please use:
http://trac.lighttpd.net/trac/attachment/ticket/285/committed-patch-1.4.19.patch
to patch this and not the referenced trac changeset because
it contains a bug (see #474951).
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1531
http://security-tracker.debian.net/tracker/CVE-2008-1531
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpwahiAxHJ1E.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.19-2
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.19-2_all.deb
to pool/main/l/lighttpd/lighttpd-doc_1.4.19-2_all.deb
lighttpd-mod-cml_1.4.19-2_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-cml_1.4.19-2_amd64.deb
lighttpd-mod-magnet_1.4.19-2_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-magnet_1.4.19-2_amd64.deb
lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
lighttpd-mod-webdav_1.4.19-2_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-webdav_1.4.19-2_amd64.deb
lighttpd_1.4.19-2.diff.gz
to pool/main/l/lighttpd/lighttpd_1.4.19-2.diff.gz
lighttpd_1.4.19-2.dsc
to pool/main/l/lighttpd/lighttpd_1.4.19-2.dsc
lighttpd_1.4.19-2_amd64.deb
to pool/main/l/lighttpd/lighttpd_1.4.19-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Habouzit <[EMAIL PROTECTED]> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 13 Apr 2008 13:20:40 +0200
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet
lighttpd-mod-webdav
Architecture: source all amd64
Version: 1.4.19-2
Distribution: unstable
Urgency: low
Maintainer: Debian lighttpd maintainers <[EMAIL PROTECTED]>
Changed-By: Pierre Habouzit <[EMAIL PROTECTED]>
Description:
lighttpd - A fast webserver with minimal memory footprint
lighttpd-doc - Documentation for lighttpd
lighttpd-mod-cml - Cache meta language module for lighttpd
lighttpd-mod-magnet - Control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 408521 472119 472122 472175 473053 473510 475438
Changes:
lighttpd (1.4.19-2) unstable; urgency=low
.
* Add patches/ssl-connection-errors.patch for CVE-2008-1531
(Closes: 475438).
* Test for /var/cache/lighttpd/compress in lighttpd.cron.daily to avoid
spurious errors for uninstalled and not purged lighttpd's
(Closes: 472175).
.
* Add handling of /var/cache/lighttpd/uploads (Closes: 408521):
+ add it in lighttpd.dirs.
+ add it as a server.upload-dirs in lighttpd.conf.
+ purge it daily in lighttpd.cron.daily.
.
* Fix typo in lighttpd.preinst causing failure to update 05-auth symlink
properly (Closes: 472119).
.
* init.d: stopping an already stopped lighttpd, or starting an already
running one should not fail (Closes: 472122).
.
* Use $HTTP["remoteip"] =~ "127.0.0.1" in configuration snipplets so that it
works when ipv6 is enabled by default too (Closes: 473510).
.
* Use perl to detect if the host has ipv6, and generate the server.use-ipv6
snipplet on the fly instead of forcing it to true (Closes: 473053).
Checksums-Sha1:
94a1525070f2e44161d8eb4ee50936b09f4e5b1f 1671 lighttpd_1.4.19-2.dsc
b8636127c06b593777d1d30208f6d672030ca5e9 22813 lighttpd_1.4.19-2.diff.gz
735fc072beb1d91887e2ed5c4fc896b5d7c8eedf 105098 lighttpd-doc_1.4.19-2_all.deb
952cc9ee59388b7a3839e9456493b186967f6ca2 321422 lighttpd_1.4.19-2_amd64.deb
13166e6f479e78332b29af056c9ce2bf3ed49a7b 66292
lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
ce12d999efce272677416b03ab83f32e1c278fd7 67934
lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
de933aa8fae1a776e985095d16c3ec839bf863bc 71442
lighttpd-mod-cml_1.4.19-2_amd64.deb
b85dcc2461a5853c8c2e6237dacac70b6eded426 71106
lighttpd-mod-magnet_1.4.19-2_amd64.deb
eec98df3e35a6105eb4dffce04def1c103c5f41a 78188
lighttpd-mod-webdav_1.4.19-2_amd64.deb
Checksums-Sha256:
9a3f88b96d9aad17f2f8d175fc33db2cd2e9507f9c102c04da1bdb60e5eed9b4 1671
lighttpd_1.4.19-2.dsc
e01a5a5620c473f134c831939d98646b018cf1c0f8e854d1c0c274d2acb49f47 22813
lighttpd_1.4.19-2.diff.gz
21b9c5da0cdc04f5bbbfa26d7ae62712b640c08523bab9459fa53c8e4ba454e9 105098
lighttpd-doc_1.4.19-2_all.deb
20366b4ed618f9ed7f558962ee0df67bc8efc1dadf8e947a6ed73003b163cfd9 321422
lighttpd_1.4.19-2_amd64.deb
bf9faed9012a69e5b946f2748483b5b0d073242eae0596c74298e398080fc208 66292
lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
b4802d34a1ce8f94486a35eea5b33e869d98a6a777e5631e2df25014e7f856ca 67934
lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
f1bdb3ae4ac3ceba313e9900817421281b36f7bd749d4cb174f968187e4430f0 71442
lighttpd-mod-cml_1.4.19-2_amd64.deb
5e2a66700641b721c9602ddf3307dfd627e3b2820cf91223480771639044b7d8 71106
lighttpd-mod-magnet_1.4.19-2_amd64.deb
776ea921668ccfdc27b2fdc87dbcb85868c0339ab974b59343b1cafef221fc22 78188
lighttpd-mod-webdav_1.4.19-2_amd64.deb
Files:
b97449285f4bf46ae83a99c03a6967ba 1671 web optional lighttpd_1.4.19-2.dsc
8f1df6e7e81315502a9633ac0ce98978 22813 web optional lighttpd_1.4.19-2.diff.gz
6c2c51b29d40269d322250aef4aa2c35 105098 doc optional
lighttpd-doc_1.4.19-2_all.deb
a467fe072d988cbfced360c4cfa9ae73 321422 web optional
lighttpd_1.4.19-2_amd64.deb
1b7c2ab676edb8f7499278ee37661cc0 66292 web optional
lighttpd-mod-mysql-vhost_1.4.19-2_amd64.deb
9e3ca7f2b6a91deb370e8e8899091f78 67934 web optional
lighttpd-mod-trigger-b4-dl_1.4.19-2_amd64.deb
bc5fd740579193e8d9161a9a16bb19fd 71442 web optional
lighttpd-mod-cml_1.4.19-2_amd64.deb
22124c16b94d858649e0561a94f1a9b6 71106 web optional
lighttpd-mod-magnet_1.4.19-2_amd64.deb
cdc1289ccbd33f84b8c8486492275909 78188 web optional
lighttpd-mod-webdav_1.4.19-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIAe2OvGr7W6HudhwRAha5AKCYHcLARAFGi5Nhwtav1eXxbQT6fACbB9XF
IrzYuNHjN58pS5VEka6rEHA=
=6JLO
-----END PGP SIGNATURE-----
--- End Message ---
