| Summary: | lighttpd new security issues CVE-2013-4508, CVE-2013-4559, and CVE-2013-4560 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | rverschelde, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/573677/ | ||
| Whiteboard: | MGA2TOO MGA3-32-OK MGA3-64-OK has_procedure advisory mga2-32-ok mga2-64-ok | ||
| Source RPM: | lighttpd-1.4.32-3.4.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-11-12 23:59:36 CET
David Walser
2013-11-12 23:59:42 CET
Whiteboard:
(none) =>
MGA2TOO Debian has issued an advisory for this today: http://lists.debian.org/debian-security-announce/2013/msg00207.html
David Walser
2013-11-13 20:34:26 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/573677/ Debian has issued an updated advisory for this on November 16: http://lists.debian.org/debian-security-announce/2013/msg00210.html They included an additional patch to fix a regression in the CVE-2013-4508 fix. Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated lighttpd packages fix security vulnerabilities: lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network (CVE-2013-4508). In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an environment limits the number of processes a user can have and the target uid already is at the limit, lighttpd will run as root. A user who can run CGI scripts could clone() often; in this case a lighttpd restart would end up with lighttpd running as root, and the CGI scripts would run as root too (CVE-2013-4559). In lighttpd before 1.4.34, if "fam" is enabled and there are directories reachable from configured doc roots and aliases on which FAMMonitorDirectory fails, a remote client could trigger a DoS (CVE-2013-4560). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt http://www.debian.org/security/2013/dsa-2795 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.30-5.3.mga2 lighttpd-mod_auth-1.4.30-5.3.mga2 lighttpd-mod_cml-1.4.30-5.3.mga2 lighttpd-mod_compress-1.4.30-5.3.mga2 lighttpd-mod_mysql_vhost-1.4.30-5.3.mga2 lighttpd-mod_trigger_b4_dl-1.4.30-5.3.mga2 lighttpd-mod_webdav-1.4.30-5.3.mga2 lighttpd-mod_magnet-1.4.30-5.3.mga2 lighttpd-1.4.32-3.6.mga3 lighttpd-mod_auth-1.4.32-3.6.mga3 lighttpd-mod_cml-1.4.32-3.6.mga3 lighttpd-mod_compress-1.4.32-3.6.mga3 lighttpd-mod_mysql_vhost-1.4.32-3.6.mga3 lighttpd-mod_trigger_b4_dl-1.4.32-3.6.mga3 lighttpd-mod_webdav-1.4.32-3.6.mga3 lighttpd-mod_magnet-1.4.32-3.6.mga3 from SRPMS: lighttpd-1.4.30-5.3.mga2.src.rpm lighttpd-1.4.32-3.6.mga3.src.rpm Procedure: https://bugs.mageia.org/show_bug.cgi?id=10447#c17 You can most likely ignore the part about deleting the pid and settings, that was due to a bug being fixed in the update. It essentially boils down to stopping apache then starting lighttpd and browsing to http://localhost Whiteboard:
MGA2TOO =>
MGA2TOO has_procedure Advisory from comment 2 uploaded. Please remove 'advisory' tag from whiteboard if anything changes. Whiteboard:
MGA2TOO has_procedure =>
MGA2TOO has_procedure advisory Testing complete on Mageia 3 64 bit. Following procedure linked in comment 3, I could confirm that lighttpd in core/updates_testing works. I did not try to reproduce the vulnerabilities in the core/updates package. CC:
(none) =>
remi
Rémi Verschelde
2013-11-19 16:09:23 CET
Whiteboard:
MGA2TOO has_procedure advisory =>
MGA2TOO MGA3-64-OK has_procedure advisory Testing complete on Mageia 3 32 bit. Whiteboard:
MGA2TOO MGA3-64-OK has_procedure advisory =>
MGA2TOO MGA3-32-OK MGA3-64-OK has_procedure advisory Testing complete mga2 32 & 64 Thought there was an issue 32bit as the service failed to start with (network.c.216) socket failed: Address family not supported by protocol This is due to having ipv6 disabled on this computer (no idea why) and can be fixed by setting 'server.use-ipv6 = "disable"' in /etc/lighttpd/lighttpd.conf Validating Could sysadmin please push from 2&3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0334.html Status:
NEW =>
RESOLVED |