Bug 30912

Summary: lighttpd new security issues CVE-2022-37797 and CVE-2022-41556
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: lighttpd-1.4.59-1.1.mga8.src.rpm CVE: CVE-2022-37797, CVE-2022-41556
Status comment:

Description David Walser 2022-09-29 14:17:23 CEST 
Debian has issued an advisory on September 28:
https://www.debian.org/security/2022/dsa-5243

The issues are fixed upstream in 1.4.67.
David Walser 2022-09-29 14:17:39 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 1.4.67

Comment 1 Nicolas Salguero 2022-09-29 14:50:26 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. (CVE-2022-37797)

A resource leak in mod_fastcgi and mod_scgi could lead to a denial of service after a large number of bad HTTP requests. (CVE-2022-41556)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41556
https://www.debian.org/security/2022/dsa-5243
========================

Updated packages in core/updates_testing:
========================
lighttpd-mod_webdav-1.4.59-1.2.mga8
lighttpd-mod_cml-1.4.59-1.2.mga8
lighttpd-mod_mysql_vhost-1.4.59-1.2.mga8
lighttpd-mod_auth-1.4.59-1.2.mga8
lighttpd-mod_authn_ldap-1.4.59-1.2.mga8
lighttpd-mod_magnet-1.4.59-1.2.mga8
lighttpd-mod_uploadprogress-1.4.59-1.2.mga8
lighttpd-mod_geoip-1.4.59-1.2.mga8
lighttpd-mod_authn_file-1.4.59-1.2.mga8
lighttpd-mod_ajp13-1.4.59-1.2.mga8
lighttpd-mod_authn_mysql-1.4.59-1.2.mga8
lighttpd-mod_trigger_b4_dl-1.4.59-1.2.mga8
lighttpd-mod_deflate-1.4.59-1.2.mga8
lighttpd-1.4.59-1.2.mga8

from SRPM:
lighttpd-1.4.59-1.2.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-37797, CVE-2022-41556
Status comment: Fixed upstream in 1.4.67 => (none)
Assignee: smelror => qa-bugs

Comment 2 Thomas Andrews 2022-10-13 01:55:36 CEST 
Tested in a mga8-64 Plasma VirtualBox guest.

Installed current versions of the above packages, then...

# systemctl start lighttpd
# systemctl status lighttpd
● lighttpd.service - Lightning Fast Webserver With Light System Requirements
     Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-10-12 19:34:09 EDT; 18s ago
    Process: 11176 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 11177 (lighttpd-angel)
      Tasks: 2 (limit: 4695)
     Memory: 924.0K
        CPU: 18ms
     CGroup: /system.slice/lighttpd.service
             ├─11177 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf
             └─11178 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Oct 12 19:34:09 localhost systemd[1]: Starting Lightning Fast Webserver With Light System Requirements...
Oct 12 19:34:09 localhost lighttpd[11176]: Syntax OK
Oct 12 19:34:09 localhost systemd[1]: Started Lightning Fast Webserver With Light System Requirements.
Oct 12 19:34:09 localhost lighttpd-angel[11178]: 2022-10-12 19:34:09: network.c.221) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty ad>
~

Stopped lighttpd service. Used qarepo to download and update the above packages, with no installation issues, then...

# systemctl start lighttpd
# systemctl status lighttpd
● lighttpd.service - Lightning Fast Webserver With Light System Requirements
     Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-10-12 19:43:45 EDT; 34s ago
    Process: 23209 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 23210 (lighttpd-angel)
      Tasks: 2 (limit: 4695)
     Memory: 912.0K
        CPU: 19ms
     CGroup: /system.slice/lighttpd.service
             ├─23210 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf
             └─23211 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Oct 12 19:43:45 localhost systemd[1]: Starting Lightning Fast Webserver With Light System Requirements...
Oct 12 19:43:45 localhost lighttpd[23209]: Syntax OK
Oct 12 19:43:45 localhost systemd[1]: Started Lightning Fast Webserver With Light System Requirements.
Oct 12 19:43:45 localhost lighttpd-angel[23211]: 2022-10-12 19:43:45: network.c.221) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty ad>

No differences that I see, other than timestamps. Looks OK to me.

Validating. Advisory in Comment 1.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-13 21:00:02 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 3 Mageia Robot 2022-10-13 22:06:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0369.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED