Upstream has issued three advisories for issues that will be fixed in lighttpd 1.4.34 (not yet released). The latter two advisories just had CVEs allocated today (upstream advisories not yet updated to reflect that yet as of now). The first advisory appears to be from November 5, the latter two from today (November 12). http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt http://openwall.com/lists/oss-security/2013/11/12/4 Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated lighttpd packages fix security vulnerabilities: lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network (CVE-2013-4508). In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an environment limits the number of processes a user can have and the target uid already is at the limit, lighttpd will run as root. A user who can run CGI scripts could clone() often; in this case a lighttpd restart would end up with lighttpd running as root, and the CGI scripts would run as root too (CVE-2013-4559). In lighttpd before 1.4.34, if "fam" is enabled and there are directories reachable from configured doc roots and aliases on which FAMMonitorDirectory fails, a remote client could trigger a DoS (CVE-2013-4560). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt http://openwall.com/lists/oss-security/2013/11/12/4 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.30-5.2.mga2 lighttpd-mod_auth-1.4.30-5.2.mga2 lighttpd-mod_cml-1.4.30-5.2.mga2 lighttpd-mod_compress-1.4.30-5.2.mga2 lighttpd-mod_mysql_vhost-1.4.30-5.2.mga2 lighttpd-mod_trigger_b4_dl-1.4.30-5.2.mga2 lighttpd-mod_webdav-1.4.30-5.2.mga2 lighttpd-mod_magnet-1.4.30-5.2.mga2 lighttpd-1.4.32-3.5.mga3 lighttpd-mod_auth-1.4.32-3.5.mga3 lighttpd-mod_cml-1.4.32-3.5.mga3 lighttpd-mod_compress-1.4.32-3.5.mga3 lighttpd-mod_mysql_vhost-1.4.32-3.5.mga3 lighttpd-mod_trigger_b4_dl-1.4.32-3.5.mga3 lighttpd-mod_webdav-1.4.32-3.5.mga3 lighttpd-mod_magnet-1.4.32-3.5.mga3 from SRPMS: lighttpd-1.4.30-5.2.mga2.src.rpm lighttpd-1.4.32-3.5.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Debian has issued an advisory for this today: http://lists.debian.org/debian-security-announce/2013/msg00207.html
URL: (none) => http://lwn.net/Vulnerabilities/573677/
Debian has issued an updated advisory for this on November 16: http://lists.debian.org/debian-security-announce/2013/msg00210.html They included an additional patch to fix a regression in the CVE-2013-4508 fix. Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated lighttpd packages fix security vulnerabilities: lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network (CVE-2013-4508). In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an environment limits the number of processes a user can have and the target uid already is at the limit, lighttpd will run as root. A user who can run CGI scripts could clone() often; in this case a lighttpd restart would end up with lighttpd running as root, and the CGI scripts would run as root too (CVE-2013-4559). In lighttpd before 1.4.34, if "fam" is enabled and there are directories reachable from configured doc roots and aliases on which FAMMonitorDirectory fails, a remote client could trigger a DoS (CVE-2013-4560). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt http://www.debian.org/security/2013/dsa-2795 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.30-5.3.mga2 lighttpd-mod_auth-1.4.30-5.3.mga2 lighttpd-mod_cml-1.4.30-5.3.mga2 lighttpd-mod_compress-1.4.30-5.3.mga2 lighttpd-mod_mysql_vhost-1.4.30-5.3.mga2 lighttpd-mod_trigger_b4_dl-1.4.30-5.3.mga2 lighttpd-mod_webdav-1.4.30-5.3.mga2 lighttpd-mod_magnet-1.4.30-5.3.mga2 lighttpd-1.4.32-3.6.mga3 lighttpd-mod_auth-1.4.32-3.6.mga3 lighttpd-mod_cml-1.4.32-3.6.mga3 lighttpd-mod_compress-1.4.32-3.6.mga3 lighttpd-mod_mysql_vhost-1.4.32-3.6.mga3 lighttpd-mod_trigger_b4_dl-1.4.32-3.6.mga3 lighttpd-mod_webdav-1.4.32-3.6.mga3 lighttpd-mod_magnet-1.4.32-3.6.mga3 from SRPMS: lighttpd-1.4.30-5.3.mga2.src.rpm lighttpd-1.4.32-3.6.mga3.src.rpm
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10447#c17 You can most likely ignore the part about deleting the pid and settings, that was due to a bug being fixed in the update. It essentially boils down to stopping apache then starting lighttpd and browsing to http://localhost
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Advisory from comment 2 uploaded. Please remove 'advisory' tag from whiteboard if anything changes.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory
Testing complete on Mageia 3 64 bit. Following procedure linked in comment 3, I could confirm that lighttpd in core/updates_testing works. I did not try to reproduce the vulnerabilities in the core/updates package.
CC: (none) => remi
Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO MGA3-64-OK has_procedure advisory
Testing complete on Mageia 3 32 bit.
Whiteboard: MGA2TOO MGA3-64-OK has_procedure advisory => MGA2TOO MGA3-32-OK MGA3-64-OK has_procedure advisory
Testing complete mga2 32 & 64 Thought there was an issue 32bit as the service failed to start with (network.c.216) socket failed: Address family not supported by protocol This is due to having ipv6 disabled on this computer (no idea why) and can be fixed by setting 'server.use-ipv6 = "disable"' in /etc/lighttpd/lighttpd.conf Validating Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK has_procedure advisory => MGA2TOO MGA3-32-OK MGA3-64-OK has_procedure advisory mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0334.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED