Your message dated Tue, 20 Dec 2011 20:50:11 +0000
with message-id <[email protected]>
and subject line Bug#652726: fixed in lighttpd 1.4.30-1
has caused the Debian Bug report #652726,
regarding CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
652726: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652726
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lighttpd
Version: 1.4.29-1, 1.4.28-2, 1.4.19-5+lenny2
Severity: grave
Tags: security upstream fixed-upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Security bug has been discovered in lighttpd:
DoS because of incorrect code in src/http_auth.c:67
This is CVE-2011-4362. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4362
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4362
Upstream bug:
http://redmine.lighttpd.net/issues/2370
Upstream has providing patch:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
Would you please fixed packages for lenny and squeeze?
- -- System Information:
Debian Release: wheezy/sid
APT prefers experimental
APT policy: (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJO8F8AAAoJELmHbrCQs2xbxrwQAJ3Po5x92JYCCEtizufW3vDr
VCYJn86vuWXrn1h501SRljbALepDijJHjMXNHPZsavs4h6IDMoLaFYBWrfS97yLy
x1QetOxraG5Oso++LGItGi477W4W7KQf8UlO6TvRDBk+ccupS9MQrQYOZRYUcLvs
owgGOoM9N/z0TxxQmL8vHZtgOUeX8inFS2absB2lfZNRX8W56sLgVDRqhODMB2a7
+HqFvQgTDELi6ccYc51bZRNMO/2vHDE4ISowXeiDavrMbpLEqUwgxnItz9Cd4epj
WW9x43+SwEEwal8NObEAyv1qyhTfNaJWuR23wbn/Fd8pXPJ/3NTmyR+JamfRDzn8
jOy6b3LUVxQEjqY3QvDHOGLgFJFn8NXSm0Xd1Wb8th9UgnTJxSka5rysOs2+OV4c
LcXGXwbNV23H7x+n3aCYsuIyczhhqPO6zjFbi0saEWjSEkxD3Mf2My2Q3LKFH+fH
sVzolQSwLfMrqgxMO/tVKpV4gqQLIl/R5x7Qe3SPKoflEBovmjTVD3bqqGeP4+6b
EUz+pxphC4ruWPbOQkcFPBT7TpAwBHxHQjMebSSeOtpoLgtRhBq1TlKKGmvSSUmL
LYo7e5zFEIEmUETkRu3WlkSp8sMybza6SHlQNLkZKdh7xfTu1MpvWURe67P7zLGj
YV58hUsZzLxO4N5Q6oY5
=g3I9
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.30-1
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.30-1_all.deb
to main/l/lighttpd/lighttpd-doc_1.4.30-1_all.deb
lighttpd-mod-cml_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-cml_1.4.30-1_amd64.deb
lighttpd-mod-magnet_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-magnet_1.4.30-1_amd64.deb
lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
lighttpd-mod-webdav_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd-mod-webdav_1.4.30-1_amd64.deb
lighttpd_1.4.30-1.debian.tar.gz
to main/l/lighttpd/lighttpd_1.4.30-1.debian.tar.gz
lighttpd_1.4.30-1.dsc
to main/l/lighttpd/lighttpd_1.4.30-1.dsc
lighttpd_1.4.30-1_amd64.deb
to main/l/lighttpd/lighttpd_1.4.30-1_amd64.deb
lighttpd_1.4.30.orig.tar.gz
to main/l/lighttpd/lighttpd_1.4.30.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arno Töll <[email protected]> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 Dec 2011 11:36:09 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet
lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.30-1
Distribution: unstable
Urgency: medium
Maintainer: Debian lighttpd maintainers
<[email protected]>
Changed-By: Arno Töll <[email protected]>
Description:
lighttpd - fast webserver with minimal memory footprint
lighttpd-doc - documentation for lighttpd
lighttpd-mod-cml - cache meta language module for lighttpd
lighttpd-mod-magnet - control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 642494 652442 652726
Changes:
lighttpd (1.4.30-1) unstable; urgency=medium
.
* New upstream release
+ Fix integer overflow (CVE-2011-4362) (Closes: #652726)
+ Fix attack vector as disclosed by the SSL BEAST attack (related:
CVE-2011-3389). Note: If you are upgrading from an older version you need
to change your configuration to mitigate effects of the attack. See the
corresponding NEWS file for details.
+ Count SSL renegotiations to prevent client renegotiations
* Urgency set to medium due to security updates.
* Adapt to dpkg 1.16.1 API changes regarding build flags. This enables
hardening build flags. This means, lighttpd is now being built with
-fstack-protector and other security related build flags.
* Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are
properly supported. That's guaranteed for Testing, but might be helpful to
know for backporters.
* Fix "Doesn't remove /etc/lighttpd on purge" by removing dangling symlinks
/only/. This does not entirely fix the problem of the maintainer, but we
can
not simply remove all files in /etc/lighttpd as other packages or the user
himself might have left configuration files back (Closes: #642494)
* Fix "please include systemd service file" Support systemd as alternative to
sysvinit, ship systemd and tempfiles.d configuration files. Thanks to
Michael Stapelberg for providing the required files (Closes: #652442)
Checksums-Sha1:
25e55ae7ab00195a6f5855f8b02a6bbc919b835a 2021 lighttpd_1.4.30-1.dsc
4a59c237fe62b06365aecb3ad4139b8593a21829 834241 lighttpd_1.4.30.orig.tar.gz
9c99522ac226e32eace526ed355ace702f929c12 26429 lighttpd_1.4.30-1.debian.tar.gz
bcd077ec390a1845559a23b9b0447060ccd5067f 301500 lighttpd_1.4.30-1_amd64.deb
e6eb2332ed524c052d807388cc903a6efcc3dd1d 63030 lighttpd-doc_1.4.30-1_all.deb
98c95277a9cd91dc669a07794b14035dc3a5d2d8 19014
lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
ea89364a5c1e4818a498b12613643ac104289af0 20686
lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
48a946444101605cc5b6d6a123cfdf40407c162c 23872
lighttpd-mod-cml_1.4.30-1_amd64.deb
747c714113b658a34ffd1789d9b7494454d4aee2 25100
lighttpd-mod-magnet_1.4.30-1_amd64.deb
ce0bb4d29bfed4a22b8259fa3cb77d05b46da6ee 31358
lighttpd-mod-webdav_1.4.30-1_amd64.deb
Checksums-Sha256:
d478233c041d95a065710addc72c9cec7f64280806fe9e374c31a2f32870df94 2021
lighttpd_1.4.30-1.dsc
59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b 834241
lighttpd_1.4.30.orig.tar.gz
099a6c3023a8b36e9fcf23b74c241a6a82c745e4fcc55342055f9afa04d2c0da 26429
lighttpd_1.4.30-1.debian.tar.gz
cb28a965e8a1b05dd252d1f97944243207a8dde280889c7e9fd913673ae27ee9 301500
lighttpd_1.4.30-1_amd64.deb
e48ebe6760b1ba9d3fc669da8f5f7ce6345a1737eb3e791de9964decfa7fcd69 63030
lighttpd-doc_1.4.30-1_all.deb
d60dae9f7ebc0732cab30d058d49444e5c911539767979d07912483960066dd7 19014
lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
7446458aa023c31dba3d1747de83a30984a39606998d06ee876bfa4d6bb47f00 20686
lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
5599c32fc1f783f84fc68e4ba7451eee7787436ff6cedc8159fa784a23cbd334 23872
lighttpd-mod-cml_1.4.30-1_amd64.deb
de04387a8b4810695e77bf337b92f71c913bc297b95260ae4c8e10370d176197 25100
lighttpd-mod-magnet_1.4.30-1_amd64.deb
88656c99fc37bd524c2053e2fbd7d6db0ce1e93f891fe4401e5683653a0788dd 31358
lighttpd-mod-webdav_1.4.30-1_amd64.deb
Files:
025d6446ceb1f654f56fd33700482c8e 2021 httpd optional lighttpd_1.4.30-1.dsc
7f0bbb66a05099f634ea8f63af99cfed 834241 httpd optional
lighttpd_1.4.30.orig.tar.gz
cc484f3f504c6aaf3bf934e3553d6329 26429 httpd optional
lighttpd_1.4.30-1.debian.tar.gz
ce72c9d945b1876b7c84bb92c9f32ca7 301500 httpd optional
lighttpd_1.4.30-1_amd64.deb
3dbd1826a4d630a2724c7794517a5df7 63030 doc optional
lighttpd-doc_1.4.30-1_all.deb
6a21d70ad8343213f11f28228432e66c 19014 httpd optional
lighttpd-mod-mysql-vhost_1.4.30-1_amd64.deb
bf49a05a75e0568ad85179b74670d058 20686 httpd optional
lighttpd-mod-trigger-b4-dl_1.4.30-1_amd64.deb
f1d66686ab9c0f68c74e062ea09b9fe9 23872 httpd optional
lighttpd-mod-cml_1.4.30-1_amd64.deb
96d31e3557a1b4bc23e129cb47f61957 25100 httpd optional
lighttpd-mod-magnet_1.4.30-1_amd64.deb
0660ffdd2e1eb69fbb487b49c6ce8703 31358 httpd optional
lighttpd-mod-webdav_1.4.30-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7w7DAACgkQHYflSXNkfP8G2gCbBXoTM3KXS9puD/C+slFGPJi+
Q9EAoLSJ3fM/Q5fPr/NnFLpplX/s8f5J
=W4o7
-----END PGP SIGNATURE-----
--- End Message ---
