| Summary: | lighttpd new security issues fixed in 1.4.41 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/696215/ | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | lighttpd-1.4.39-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-07-31 21:04:40 CEST
David Walser
2016-07-31 21:04:50 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to maintainer CC:
(none) =>
marja11 (In reply to David Walser from comment #0) > Upstream has released version 1.4.41 today (July 31): > http://www.lighttpd.net/2016/7/31/1.4.41/ > > It has four security fixes, including an "httpoxy" one. > > 1.4.40 was previously released on July 16: > http://www.lighttpd.net/2016/7/16/1.4.40/ > > Mageia 5 is also affected. > > Hopefully we can get patches, as that's quite a bit of change since 1.4.39. Should we update Cauldron to the 1.4.41 version of lighttpd? (In reply to Shlomi Fish from comment #2) > > Should we update Cauldron to the 1.4.41 version of lighttpd? IINM, David Walser should be going on holiday now :-) If he doesn't reply: probably better to ask on dev ml. Or, if preparing the upgrade doesn't take a lot of time: try to get a freeze push request accepted ;-) httpoxy issue here is actually CVE-2016-1000212. URL:
(none) =>
http://lwn.net/Vulnerabilities/696215/ Debian has issued an advisory for this on August 6: https://lists.debian.org/debian-security-announce/2016/msg00220.html The DSA should be here, but for some reason it hasn't been posted: https://www.debian.org/security/2016/dsa-3642 I guess it'd be easiest for Cauldron to just update it to 1.4.41 and hope for the best. lighttpd-1.4.41-1.mga6 uploaded for Cauldron. Thanks Shlomi. Version:
Cauldron =>
5 pushed in mga5 updates_testing SRPMS: lighttpd-1.4.37-1.1.mga5 CC:
(none) =>
mageia
Nicolas Lécureuil
2016-11-18 10:06:06 CET
Assignee:
qa-bugs =>
bugsquad
Nicolas Lécureuil
2016-11-18 10:51:27 CET
Assignee:
bugsquad =>
qa-bugs Nicolas, what about the other security issues fixed in 1.4.41? Advisory: ======================== Updated lighttpd packages fix security vulnerability: Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTP_PROXY environment variables. This could be used to carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary hosts (CVE-2016-1000212). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000212 https://www.debian.org/security/2016/dsa-3642 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.37-1.1.mga5 lighttpd-mod_auth-1.4.37-1.1.mga5 lighttpd-mod_cml-1.4.37-1.1.mga5 lighttpd-mod_compress-1.4.37-1.1.mga5 lighttpd-mod_mysql_vhost-1.4.37-1.1.mga5 lighttpd-mod_trigger_b4_dl-1.4.37-1.1.mga5 lighttpd-mod_webdav-1.4.37-1.1.mga5 lighttpd-mod_magnet-1.4.37-1.1.mga5 lighttpd-mod_geoip-1.4.37-1.1.mga5 from lighttpd-1.4.37-1.1.mga5.src.rpm is it safe to update in a second step to 1.4.41 ? (In reply to Nicolas Lécureuil from comment #10) > is it safe to update in a second step to 1.4.41 ? Probably.
Dave Hodgins
2016-11-21 21:29:00 CET
CC:
(none) =>
davidwhodgins MGA5-32 on AcerD620 Xfce No installation issues Tested as per bug 16555 Comment 4 : tested on default port 80 and testport 8080, all OK CC:
(none) =>
herman.viaene Testing M5_64 real hardware
BEFORE update:
Installed the following from current normal repositories:
lighttpd-1.4.37-1.mga5
lighttpd-mod_auth-1.4.37-1.mga5
lighttpd-mod_cml-1.4.37-1.mga5
lighttpd-mod_compress-1.4.37-1.mga5
lighttpd-mod_geoip-1.4.37-1.mga5
lighttpd-mod_magnet-1.4.37-1.mga5
lighttpd-mod_mysql_vhost-1.4.37-1.mga5
lighttpd-mod_trigger_b4_dl-1.4.37-1.mga5
lighttpd-mod_webdav-1.4.37-1.mga5
# systemctl stop httpd.service
# systemctl start lighttpd.service
# systemctl status lighttpd.service
â lighttpd.service - Lightning Fast Webserver With Light System Requirements
Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled)
Active: active (running) since Gwe 2016-11-25 14:44:40 CET; 30s ago
Process: 26331 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 26372 (lighttpd-angel)
CGroup: /system.slice/lighttpd.service
ââ26372 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf...
ââ26373 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
Browsing to http://localhost[:80] shows the "It works!" page.
http://localhost:8080 showed an Apache Tomcat intro page, because I happen to have Tomcat installed.
AFTER update from 'updates testing' to version '1.4.37-1.1' of all 9 modules:
# systemctl restart lighttpd
# systemctl status lighttpd.service
gave quasi-identical O/P to that shown above.
Browsing to both default (80) and 8080 http://localhost ports showed the same pages as beforehand. The update looks OK. Validating; advisory already there.Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0398.html Status:
NEW =>
RESOLVED |