Bug 8210

Summary: lighttpd new security issue CVE-2012-5533
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, marc.lattemann, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/526649/
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Source RPM: lighttpd-1.4.30-5.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-11-26 17:00:28 CET 
OpenSuSE has issued an advisory on November 23:
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html

This was fixed upstream in 1.4.32, so Cauldron is not affected.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated lighttpd packages fix security vulnerability:

The http_request_split_value function in request.c in lighttpd before 1.4.32
allows remote attackers to cause a denial of service (infinite loop) via a
request with a header containing an empty token, as demonstrated using the
"Connection: TE,,Keep-Alive" header (CVE-2012-5533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.28-6.3.mga1
lighttpd-mod_auth-1.4.28-6.3.mga1
lighttpd-mod_cml-1.4.28-6.3.mga1
lighttpd-mod_compress-1.4.28-6.3.mga1
lighttpd-mod_mysql_vhost-1.4.28-6.3.mga1
lighttpd-mod_trigger_b4_dl-1.4.28-6.3.mga1
lighttpd-mod_webdav-1.4.28-6.3.mga1
lighttpd-mod_magnet-1.4.28-6.3.mga1
lighttpd-1.4.30-5.1.mga2
lighttpd-mod_auth-1.4.30-5.1.mga2
lighttpd-mod_cml-1.4.30-5.1.mga2
lighttpd-mod_compress-1.4.30-5.1.mga2
lighttpd-mod_mysql_vhost-1.4.30-5.1.mga2
lighttpd-mod_trigger_b4_dl-1.4.30-5.1.mga2
lighttpd-mod_webdav-1.4.30-5.1.mga2
lighttpd-mod_magnet-1.4.30-5.1.mga2

from SRPMS:
lighttpd-1.4.28-6.3.mga1.src.rpm
lighttpd-1.4.30-5.1.mga2.src.rpm
David Walser 2012-11-26 17:00:39 CET

Whiteboard: (none) => MGA1TOO

Comment 1 Marc Lattemann 2012-11-26 21:22:57 CET 
possible PoC: http://www.exploit-db.com/exploits/22902/

But I cannot see any effect on old version of lighttpd in mga2

CC: (none) => marc.lattemann

Comment 2 Dave Hodgins 2012-11-27 04:15:14 CET 
No impact with the old version in Mageia 1 i586 either.

I'll just test that the updated version works.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2012-11-27 04:19:06 CET 
When starting the server, with either the old or new version, the following
message is displayed ...
Starting lighttpd: 2012-11-26 22:17:21: (network.c.239) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes

Any idea what that's supposed to mean?  Just curious.
Comment 4 Dave Hodgins 2012-11-27 04:24:37 CET 
Testing complete on Mageia 2 i586, x86-64, Mageia 1 i586, and x86-64.

The message in comment 3 is only displayed in Mageia 1, so not much
point checking into it.

Could someone from the sysadmin team push the srpm
lighttpd-1.4.30-5.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
lighttpd-1.4.28-6.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated lighttpd packages fix security vulnerability:

The http_request_split_value function in request.c in lighttpd before 1.4.32
allows remote attackers to cause a denial of service (infinite loop) via a
request with a header containing an empty token, as demonstrated using the
"Connection: TE,,Keep-Alive" header (CVE-2012-5533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html

https://bugs.mageia.org/show_bug.cgi?id=8210

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 5 Thomas Backlund 2012-11-29 22:20:20 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 6 David Walser 2013-09-04 03:12:29 CEST 
Apparently the PoC didn't work because the flaw was introduced in 1.4.31 (strange that the patch applied anyway).  Oops.

https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115116.html