Bug 11662 - lighttpd new security issues CVE-2013-4508, CVE-2013-4559, and CVE-2013-4560
: lighttpd new security issues CVE-2013-4508, CVE-2013-4559, and CVE-2013-4560
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/573677/
: MGA2TOO MGA3-32-OK MGA3-64-OK has_pro...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-12 23:59 CET by David Walser
Modified: 2013-11-20 22:00 CET (History)
3 users (show)

See Also:
Source RPM: lighttpd-1.4.32-3.4.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-11-12 23:59:36 CET
Upstream has issued three advisories for issues that will be fixed in lighttpd 1.4.34 (not yet released).  The latter two advisories just had CVEs allocated today (upstream advisories not yet updated to reflect that yet as of now).  The first advisory appears to be from November 5, the latter two from today (November 12).

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
http://openwall.com/lists/oss-security/2013/11/12/4

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated lighttpd packages fix security vulnerabilities:

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which
makes it easier for remote attackers to hijack sessions by inserting packets
into the client-server data stream or obtain sensitive information by sniffing
the network (CVE-2013-4508).

In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an
environment limits the number of processes a user can have and the target uid
already is at the limit, lighttpd will run as root. A user who can run CGI
scripts could clone() often; in this case a lighttpd restart would end up with
lighttpd running as root, and the CGI scripts would run as root too
(CVE-2013-4559).

In lighttpd before 1.4.34, if "fam" is enabled and there are directories
reachable from configured doc roots and aliases on which FAMMonitorDirectory
fails, a remote client could trigger a DoS (CVE-2013-4560).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
http://openwall.com/lists/oss-security/2013/11/12/4
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.30-5.2.mga2
lighttpd-mod_auth-1.4.30-5.2.mga2
lighttpd-mod_cml-1.4.30-5.2.mga2
lighttpd-mod_compress-1.4.30-5.2.mga2
lighttpd-mod_mysql_vhost-1.4.30-5.2.mga2
lighttpd-mod_trigger_b4_dl-1.4.30-5.2.mga2
lighttpd-mod_webdav-1.4.30-5.2.mga2
lighttpd-mod_magnet-1.4.30-5.2.mga2
lighttpd-1.4.32-3.5.mga3
lighttpd-mod_auth-1.4.32-3.5.mga3
lighttpd-mod_cml-1.4.32-3.5.mga3
lighttpd-mod_compress-1.4.32-3.5.mga3
lighttpd-mod_mysql_vhost-1.4.32-3.5.mga3
lighttpd-mod_trigger_b4_dl-1.4.32-3.5.mga3
lighttpd-mod_webdav-1.4.32-3.5.mga3
lighttpd-mod_magnet-1.4.32-3.5.mga3

from SRPMS:
lighttpd-1.4.30-5.2.mga2.src.rpm
lighttpd-1.4.32-3.5.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-13 18:50:23 CET
Debian has issued an advisory for this today:
http://lists.debian.org/debian-security-announce/2013/msg00207.html
Comment 2 David Walser 2013-11-18 21:31:07 CET
Debian has issued an updated advisory for this on November 16:
http://lists.debian.org/debian-security-announce/2013/msg00210.html

They included an additional patch to fix a regression in the CVE-2013-4508 fix.

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated lighttpd packages fix security vulnerabilities:

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which
makes it easier for remote attackers to hijack sessions by inserting packets
into the client-server data stream or obtain sensitive information by sniffing
the network (CVE-2013-4508).

In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an
environment limits the number of processes a user can have and the target uid
already is at the limit, lighttpd will run as root. A user who can run CGI
scripts could clone() often; in this case a lighttpd restart would end up with
lighttpd running as root, and the CGI scripts would run as root too
(CVE-2013-4559).

In lighttpd before 1.4.34, if "fam" is enabled and there are directories
reachable from configured doc roots and aliases on which FAMMonitorDirectory
fails, a remote client could trigger a DoS (CVE-2013-4560).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
http://www.debian.org/security/2013/dsa-2795
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.30-5.3.mga2
lighttpd-mod_auth-1.4.30-5.3.mga2
lighttpd-mod_cml-1.4.30-5.3.mga2
lighttpd-mod_compress-1.4.30-5.3.mga2
lighttpd-mod_mysql_vhost-1.4.30-5.3.mga2
lighttpd-mod_trigger_b4_dl-1.4.30-5.3.mga2
lighttpd-mod_webdav-1.4.30-5.3.mga2
lighttpd-mod_magnet-1.4.30-5.3.mga2
lighttpd-1.4.32-3.6.mga3
lighttpd-mod_auth-1.4.32-3.6.mga3
lighttpd-mod_cml-1.4.32-3.6.mga3
lighttpd-mod_compress-1.4.32-3.6.mga3
lighttpd-mod_mysql_vhost-1.4.32-3.6.mga3
lighttpd-mod_trigger_b4_dl-1.4.32-3.6.mga3
lighttpd-mod_webdav-1.4.32-3.6.mga3
lighttpd-mod_magnet-1.4.32-3.6.mga3

from SRPMS:
lighttpd-1.4.30-5.3.mga2.src.rpm
lighttpd-1.4.32-3.6.mga3.src.rpm
Comment 3 claire robinson 2013-11-19 10:42:42 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10447#c17

You can most likely ignore the part about deleting the pid and settings, that was due to a bug being fixed in the update.

It essentially boils down to stopping apache then starting lighttpd and browsing to http://localhost
Comment 4 claire robinson 2013-11-19 11:54:04 CET
Advisory from comment 2 uploaded. Please remove 'advisory' tag from whiteboard if anything changes.
Comment 5 Rémi Verschelde 2013-11-19 16:08:20 CET
Testing complete on Mageia 3 64 bit.

Following procedure linked in comment 3, I could confirm that lighttpd in core/updates_testing works. I did not try to reproduce the vulnerabilities in the core/updates package.
Comment 6 Rémi Verschelde 2013-11-19 17:06:38 CET
Testing complete on Mageia 3 32 bit.
Comment 7 claire robinson 2013-11-19 17:54:08 CET
Testing complete mga2 32 & 64

Thought there was an issue 32bit as the service failed to start with

(network.c.216) socket failed: Address family not supported by protocol

This is due to having ipv6 disabled on this computer (no idea why) and can be fixed by setting 'server.use-ipv6 = "disable"' in /etc/lighttpd/lighttpd.conf


Validating

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2013-11-20 22:00:40 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0334.html

Note You need to log in before you can comment on or make changes to this bug.