| Summary: | Updated lighttpd pacakge to fix CVE-2011-4362: out-of-bounds read due to signedness error | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Funda Wang <fundawang> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, derekjenn, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt | ||
| Whiteboard: | |||
| Source RPM: | lighttpd-1.4.28-6.1.mga1 | CVE: | |
| Status comment: | |||
|
Description
Funda Wang
2011-12-01 07:41:57 CET
Testing completed on x86_64 Installed lighttpd-1.4.28-6.1.mga1 Enabled mod_auth and configured static web site with htdigest authentication. Still need testing on i586 CC:
(none) =>
derekjenn (In reply to comment #1) > Testing completed on x86_64 > Installed lighttpd-1.4.28-6.1.mga1 > Enabled mod_auth and configured static web site with htdigest authentication. That's the core release version. http://twiska.zarb.org/mageia/distrib/1/i586/media/core/updates_testing/ does not contain lighttpd. Funda, can you check the build system to see why it packages are not showing up on the mirrors? I'm currently looking at http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2806/diff to figure out how to trigger the error. CC:
(none) =>
davidwhodgins Arrgh. Sorry, please ignore comment 2. Still looking at how to trigger the error, to confirm it's fixed. From what I have read, to trigger the error you have to enter a password of up to 256 characters containing codes above 0x7f to cause a segfault. Not easy to do with a keyboard. From the readmine link, It looked like something like wget http://127.0.0.1//server-status --header "Authorization: Basic \x80mFuOmphb" would trigger the bug, but it doesn't seem to. Without a working poc, all we can test is that the package still works, which it does. The one nitpick I have, is that the default configuration has var.server_root = "/srv/www" instead of var.server_root = "/var/www". That is not a reqression, so the update can be validated. Funda do you want to fix the /etc/lighttpd/lighttpd.conf or should I go ahead and validate this update? var.server_root = "/srv/www" is for operating in chroot environment. It does not have any effect in normal operation. For me lightttp works perfectly well with var.server_root left at its default value. var.server_root = "/srv/www" fixed => http://svnweb.mageia.org/packages?view=revision&revision=175038 I am not convinced that var.server.root needs to be changed. The document root is server.document-root = "/var/www/html" The lighttpd configuration guide does not mention var.server_root, and nor does the list of configuration options. http://redmine.lighttpd.net/wiki/lighttpd/TutorialConfiguration http://redmine.lighttpd.net/wiki/lighttpd/Docs:ConfigurationOptions Ok. Validating the update. Could someone from the sysadmin team push the srpm lighttpd-1.4.28-6.2.mga1.src.rpm from Core Updates Testing to Core Updates Advisory: A vulnerability has been found in lighttpd (CVE-2011-4362): An signedness error, leading to out of stack-based buffer read flaw was found in the way lighttpd, a lightning fast webserver with light system requirements, processed certain invalid base64 HTTP authentication tokens. A remote attacker could provide a specially crafted HTTP authentication request, leading to denial of service (lighttpd daemon crash due to an signedness error while processing the token). Upstream announcement: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt The updated packages have been patched to fix this issue. https://bugs.mageia.org/show_bug.cgi?id=3552 Keywords:
(none) =>
validated_update Update pushed. Status:
NEW =>
RESOLVED |