Bug 13003 - lighttpd new security issues CVE-2014-2323 and CVE-2014-2324
Summary: lighttpd new security issues CVE-2014-2323 and CVE-2014-2324
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/590544/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-12 16:59 CET by David Walser
Modified: 2014-03-19 18:43 CET (History)
4 users (show)

See Also:
Source RPM: lighttpd-1.4.33-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-12 16:59:10 CET
Upstream has issued an advisory today (March 12):
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt

The issues have been assigned CVEs:
http://openwall.com/lists/oss-security/2014/03/12/12

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated lighttpd packages fix security vulnerabilities:

SQL injection vulnerability in lighttpd before 1.4.35 when mod_mysql_vhost is
in use, due to insufficient validation of hostnames in HTTP requests
(CVE-2014-2323).

Possible path traversal vulnerabilities in lighttpd before 1.4.35 when either
mod_evhost or mod_simple_vhost are in use, due to insufficient validation of
hostnames in HTTP requests (CVE-2014-2324).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
http://openwall.com/lists/oss-security/2014/03/12/12
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.32-3.7.mga3
lighttpd-mod_auth-1.4.32-3.7.mga3
lighttpd-mod_cml-1.4.32-3.7.mga3
lighttpd-mod_compress-1.4.32-3.7.mga3
lighttpd-mod_mysql_vhost-1.4.32-3.7.mga3
lighttpd-mod_trigger_b4_dl-1.4.32-3.7.mga3
lighttpd-mod_webdav-1.4.32-3.7.mga3
lighttpd-mod_magnet-1.4.32-3.7.mga3
lighttpd-1.4.33-4.1.mga4
lighttpd-mod_auth-1.4.33-4.1.mga4
lighttpd-mod_cml-1.4.33-4.1.mga4
lighttpd-mod_compress-1.4.33-4.1.mga4
lighttpd-mod_mysql_vhost-1.4.33-4.1.mga4
lighttpd-mod_trigger_b4_dl-1.4.33-4.1.mga4
lighttpd-mod_webdav-1.4.33-4.1.mga4
lighttpd-mod_magnet-1.4.33-4.1.mga4
lighttpd-mod_geoip-1.4.33-4.1.mga4

from SRPMS:
lighttpd-1.4.32-3.7.mga3.src.rpm
lighttpd-1.4.33-4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-12 16:59:19 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-03-12 22:05:42 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=11662#c3

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 David Walser 2014-03-13 16:30:56 CET
Debian has issued an advisory for this on March 12:
http://www.debian.org/security/2014/dsa-2877
David Walser 2014-03-13 16:44:15 CET

URL: (none) => http://lwn.net/Vulnerabilities/590544/

David Walser 2014-03-13 21:49:14 CET

Severity: normal => major

Comment 3 William Kenney 2014-03-18 16:39:44 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
lighttpd

default install of lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.32-3.6.mga3.i586 is already installed

Stop Apache ( httpd ), Start lighttpd
http://localhost/ works using index.html at /usr/www/index.html

install lighttpd from updates_testing

Restart lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.32-3.7.mga3.i586 is already installed

http://localhost/ works using index.html at /usr/www/index.html

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK

Comment 4 William Kenney 2014-03-18 16:51:03 CET
(In reply to William Kenney from comment #3)

Sorry 
http://localhost/ works using index.html at /usr/www/index.html
should be:
http://localhost/ works using index.html at /var/www/html/index.html
Comment 5 William Kenney 2014-03-18 16:58:40 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
lighttpd

default install of lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.32-3.6.mga3.x86_64 is already installed

Stop Apache ( httpd ), Start lighttpd
http://localhost/ works using index.html at /var/www/html/index.html

install lighttpd from updates_testing

Restart lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.32-3.7.mga3.x86_64 is already installed

http://localhost/ works using index.html at /var/www/html/index.html

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 6 William Kenney 2014-03-18 17:32:08 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
lighttpd

default install of lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.33-4.mga4.i586 is already installed

Stop Apache ( httpd ), Start lighttpd
http://localhost/ works using index.html at /var/www/html/index.html

install lighttpd from updates_testing

Restart lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.33-4.1.mga4.i586 is already installed

http://localhost/ works using index.html at /var/www/html/index.html

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 7 William Kenney 2014-03-18 17:46:55 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
lighttpd

default install of lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.33-4.mga4.x86_64 is already installed

Stop Apache ( httpd ), Start lighttpd
http://localhost/ works using index.html at /var/www/html/index.html

install lighttpd from updates_testing

Restart lighttpd

[root@localhost wilcal]# urpmi lighttpd
Package lighttpd-1.4.33-4.1.mga4.x86_64 is already installed

http://localhost/ works using index.html at /var/www/html/index.html

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 8 William Kenney 2014-03-18 17:48:33 CET
For me this update works fine using testing proceedure at:
https://bugs.mageia.org/show_bug.cgi?id=11662#c3
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Dave Hodgins 2014-03-18 21:54:14 CET
Advisory added to svn.

Someone from the sysadmin team please push 13003.adv to updates.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 10 Thomas Backlund 2014-03-19 18:43:47 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0133.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.