Bug 29877

Summary: lighttpd new security issue CVE-2022-22707
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: lighttpd-1.4.59-1.mga8.src.rpm CVE: CVE-2022-22707
Status comment:

Description David Walser 2022-01-12 15:37:56 CET 
Debian has issued an advisory on January 11:
https://www.debian.org/security/2022/dsa-5040

Mageia 8 is also affected.
David Walser 2022-01-12 15:38:13 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Debian and upstream

Comment 1 Lewis Smith 2022-01-12 19:24:03 CET 
This is not officially yours, Stig, but seeing that you have done its most recent updates, you at least have seen it before.

Assignee: bugsquad => smelror

Comment 2 David Walser 2022-01-20 19:18:56 CET 
Fixed upstream in 1.4.64:
http://www.lighttpd.net/2022/1/19/1.4.64/

We'll need to just patch for Mageia 8 since 1.4.64 removes several modules.

lighttpd-1.4.64-1.mga9 uploaded for Cauldron.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: lighttpd-1.4.63-1.mga9.src.rpm => lighttpd-1.4.59-1.mga8.src.rpm

Comment 3 David Walser 2022-02-03 00:00:21 CET 
openSUSE has issued an advisory for this today (February 2):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6P5G6MJW4Q5RKKPO7TS5CLAAEQ2QUYBE/
Comment 4 Nicolas Salguero 2022-04-21 12:10:14 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system. (CVE-2022-22707)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22707
https://www.debian.org/security/2022/dsa-5040
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6P5G6MJW4Q5RKKPO7TS5CLAAEQ2QUYBE/
========================

Updated packages in core/updates_testing:
========================
lighttpd-mod_webdav-1.4.59-1.1.mga8
lighttpd-mod_cml-1.4.59-1.1.mga8
lighttpd-mod_mysql_vhost-1.4.59-1.1.mga8
lighttpd-mod_auth-1.4.59-1.1.mga8
lighttpd-mod_authn_ldap-1.4.59-1.1.mga8
lighttpd-mod_magnet-1.4.59-1.1.mga8
lighttpd-mod_uploadprogress-1.4.59-1.1.mga8
lighttpd-mod_geoip-1.4.59-1.1.mga8
lighttpd-mod_authn_file-1.4.59-1.1.mga8
lighttpd-mod_ajp13-1.4.59-1.1.mga8
lighttpd-mod_authn_mysql-1.4.59-1.1.mga8
lighttpd-mod_trigger_b4_dl-1.4.59-1.1.mga8
lighttpd-mod_deflate-1.4.59-1.1.mga8
lighttpd-1.4.59-1.1.mga8

from SRPM:
lighttpd-1.4.59-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Status comment: Patch available from Debian and upstream => (none)
CVE: (none) => CVE-2022-22707
Assignee: smelror => qa-bugs

Comment 5 Brian Rockwell 2022-04-27 20:33:00 CEST 
MGA8-64, Mate


Apr 27 13:02:41 localhost.localdomain [RPM][2909]: install lighttpd-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:41 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_file-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_auth-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_geoip-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_ldap-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_cml-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_trigger_b4_dl-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_deflate-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_webdav-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_mysql_vhost-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_uploadprogress-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_ajp13-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_mysql-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_magnet-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_file-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_auth-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_geoip-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_ldap-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_cml-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_trigger_b4_dl-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_deflate-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_webdav-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_mysql_vhost-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_uploadprogress-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_ajp13-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_mysql-1.4.59-1.1.mga8.x86_64: success
Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_magnet-1.4.59-1.1.mga8.x86_64: success
[root@localhost html]# 



# curl -I -L localhost
HTTP/1.1 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: "3522954346"
Last-Modified: Wed, 27 Apr 2022 18:27:16 GMT
Content-Length: 144
Date: Wed, 27 Apr 2022 18:29:19 GMT
Server: lighttpd/1.4.59


I don't really have time for more tests, but everything seems to have installed alright and the service is running and responding.

CC: (none) => brtians1

Comment 6 Thomas Andrews 2022-05-02 23:58:47 CEST 
(In reply to Brian Rockwell from comment #5)

> 
> I don't really have time for more tests, but everything seems to have
> installed alright and the service is running and responding.

If I'm reading previous updates correctly, that should be enough. Giving it an OK, and validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-05-06 21:07:05 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-05-06 22:18:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0161.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED