Bug 23443

Summary: lighttpd new security issues fixed upstream in 1.4.51
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, herman.viaene, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: lighttpd-1.4.45-4.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-14 13:56:59 CEST 
Lighttpd 1.4.50 has been released on August 13, fixing three security issues:
http://www.lighttpd.net/2018/8/13/1.4.50/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-14 13:57:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 12:22:47 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-08-29 20:47:28 CEST 
Fedora has issued an advisory for this on August 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L4IF4NIZOPGQ36R7FFZTGDYNMECSFGMU/
Comment 4 Bruno Cornec 2018-10-11 01:40:13 CEST 
shlomif pushed 1.4.50 2018-08-16

CC: (none) => bruno

Comment 5 Bruno Cornec 2018-10-11 01:43:37 CEST 
I pushed 1.4.50 in 6 core/updates_testing

Assignee: shlomif => qa-bugs
Status: NEW => ASSIGNED

Comment 6 David Walser 2018-10-12 01:28:38 CEST 
Advisory:
========================

Updated lighttpd package fixes security vulnerabilities:

potential path traversal with specific configs or in some use cases in mod_alias.

use-after-free invalid Range requests in core.

References:
http://www.lighttpd.net/2018/8/13/1.4.50/
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.50-1.1.mga6
lighttpd-mod_auth-1.4.50-1.1.mga6
lighttpd-mod_authn_file-1.4.50-1.1.mga6
lighttpd-mod_authn_ldap-1.4.50-1.1.mga6
lighttpd-mod_authn_mysql-1.4.50-1.1.mga6
lighttpd-mod_cml-1.4.50-1.1.mga6
lighttpd-mod_compress-1.4.50-1.1.mga6
lighttpd-mod_deflate-1.4.50-1.1.mga6
lighttpd-mod_mysql_vhost-1.4.50-1.1.mga6
lighttpd-mod_trigger_b4_dl-1.4.50-1.1.mga6
lighttpd-mod_webdav-1.4.50-1.1.mga6
lighttpd-mod_magnet-1.4.50-1.1.mga6
lighttpd-mod_geoip-1.4.50-1.1.mga6
lighttpd-mod_uploadprogress-1.4.50-1.1.mga6

from lighttpd-1.4.50-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 7 Herman Viaene 2018-10-24 12:17:21 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Stopped httpd, then
# systemctl start lighttpd
# systemctl -l status lighttpd
● lighttpd.service - Lightning Fast Webserver With Light System Requirements
   Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since wo 2018-10-24 12:00:44 CEST; 3s ago
  Process: 2112 ExecStart=/usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf (code=ex
  Process: 2104 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exite
 Main PID: 2112 (code=exited, status=0/SUCCESS)

and of course no connection in firefox

# journalctl -xe | grep light
-- Subject: Unit lighttpd.service has begun start-up
-- Unit lighttpd.service has begun starting up.
okt 24 12:00:44 mach6.hviaene.thuis lighttpd[2104]: Syntax OK
-- Subject: Unit lighttpd.service has finished start-up
-- Unit lighttpd.service has finished starting up.
okt 24 12:00:44 mach6.hviaene.thuis lighttpd-angel[2112]: 2018-10-24 12:00:44: (network.c.167) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes
okt 24 12:00:44 mach6.hviaene.thuis lighttpd-angel[2112]: 2018-10-24 12:00:44: (network.c.281) socket failed: Address family not supported by protocol
okt 24 12:00:44 mach6.hviaene.thuis lighttpd-angel[2112]: lighttpd-angel.c.148: child (pid=2115) exited normally with exitcode: 255
So edited /etc/lighttpd/lighttpd.conf to
server.use-ipv6 = "disable" (default was "enable")
then# systemctl start lighttpd
[root@mach6 ~]# systemctl -l status lighttpd
● lighttpd.service - Lightning Fast Webserver With Light System Requirements
   Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
   Active: active (running) since wo 2018-10-24 12:06:52 CEST; 7s ago
  Process: 4353 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status
 Main PID: 4357 (lighttpd-angel)
   CGroup: /system.slice/lighttpd.service
           ├─4357 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf
           └─4360 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
I could connect on port 80 and as per bug 16555, changed port to 8080 in /etc/lighttpd/lighttpd.conf and restarted lighttpd, also OK.

So lighttpd works OK , but not in its default /etc/lighttpd/lighttpd.conf

CC: (none) => herman.viaene

Comment 8 David Walser 2018-10-26 19:52:29 CEST 
Upstream has released 1.4.51 on October 14:
https://www.lighttpd.net/2018/10/14/1.4.51/

It fixes two security issues.

Fedora has issued an advisory for this on October 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NCAH6ZBU4V4FMPV4C2LSPAFVRRM2UCVD/

Summary: lighttpd new security issues fixed upstream in 1.4.50 => lighttpd new security issues fixed upstream in 1.4.51
Keywords: (none) => feedback

Comment 9 Bruno Cornec 2018-10-27 01:57:04 CEST 
lighttpd-1.4.51-1.mga7 is already in cauldron
Comment 10 Bruno Cornec 2018-10-27 01:59:09 CEST 
lighttpd-1.4.51-1.mga6 submitted for mga6 update
Comment 11 David Walser 2018-10-27 02:07:01 CEST 
Advisory:
========================

Updated lighttpd package fixes security vulnerabilities:

Potential path traversal with specific configs or in some use cases in
mod_alias.

use-after-free invalid Range requests in core.

Process headers after combining folded headers in core.

Skip username "." and ".." in mod_userdir.

References:
http://www.lighttpd.net/2018/8/13/1.4.50/
https://www.lighttpd.net/2018/10/14/1.4.51/
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.51-1.mga6
lighttpd-mod_auth-1.4.51-1.mga6
lighttpd-mod_authn_file-1.4.51-1.mga6
lighttpd-mod_authn_ldap-1.4.51-1.mga6
lighttpd-mod_authn_mysql-1.4.51-1.mga6
lighttpd-mod_cml-1.4.51-1.mga6
lighttpd-mod_compress-1.4.51-1.mga6
lighttpd-mod_deflate-1.4.51-1.mga6
lighttpd-mod_mysql_vhost-1.4.51-1.mga6
lighttpd-mod_trigger_b4_dl-1.4.51-1.mga6
lighttpd-mod_webdav-1.4.51-1.mga6
lighttpd-mod_magnet-1.4.51-1.mga6
lighttpd-mod_geoip-1.4.51-1.mga6
lighttpd-mod_uploadprogress-1.4.51-1.mga6

from lighttpd-1.4.51-1.mga6.src.rpm

Keywords: feedback => (none)

Comment 12 Herman Viaene 2018-10-29 15:55:24 CET 
Same result and issue as per Comment 7.
Comment 13 David Walser 2018-10-29 17:57:14 CET 
That sounds fine.  It's to be expected if you disabled IPv6 in your network configuration.
Comment 14 Herman Viaene 2018-10-30 09:28:11 CET 
That is the case, so test is OK for me.

Whiteboard: (none) => MGA6-32-OK

Comment 15 Thomas Andrews 2018-11-02 19:54:47 CET 
Validating, then. Advisory in Comment 11.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 12:00:19 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 16 Mageia Robot 2018-11-03 12:56:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0430.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 17 David Walser 2019-12-03 18:38:59 CET 
The path traversal fixed in 1.4.50 got CVE-2018-19052:
https://lists.opensuse.org/opensuse-updates/2019-10/msg00120.html