Upstream has issued an advisory today (March 12): http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt The issues have been assigned CVEs: http://openwall.com/lists/oss-security/2014/03/12/12 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated lighttpd packages fix security vulnerabilities: SQL injection vulnerability in lighttpd before 1.4.35 when mod_mysql_vhost is in use, due to insufficient validation of hostnames in HTTP requests (CVE-2014-2323). Possible path traversal vulnerabilities in lighttpd before 1.4.35 when either mod_evhost or mod_simple_vhost are in use, due to insufficient validation of hostnames in HTTP requests (CVE-2014-2324). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt http://openwall.com/lists/oss-security/2014/03/12/12 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.32-3.7.mga3 lighttpd-mod_auth-1.4.32-3.7.mga3 lighttpd-mod_cml-1.4.32-3.7.mga3 lighttpd-mod_compress-1.4.32-3.7.mga3 lighttpd-mod_mysql_vhost-1.4.32-3.7.mga3 lighttpd-mod_trigger_b4_dl-1.4.32-3.7.mga3 lighttpd-mod_webdav-1.4.32-3.7.mga3 lighttpd-mod_magnet-1.4.32-3.7.mga3 lighttpd-1.4.33-4.1.mga4 lighttpd-mod_auth-1.4.33-4.1.mga4 lighttpd-mod_cml-1.4.33-4.1.mga4 lighttpd-mod_compress-1.4.33-4.1.mga4 lighttpd-mod_mysql_vhost-1.4.33-4.1.mga4 lighttpd-mod_trigger_b4_dl-1.4.33-4.1.mga4 lighttpd-mod_webdav-1.4.33-4.1.mga4 lighttpd-mod_magnet-1.4.33-4.1.mga4 lighttpd-mod_geoip-1.4.33-4.1.mga4 from SRPMS: lighttpd-1.4.32-3.7.mga3.src.rpm lighttpd-1.4.33-4.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11662#c3
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Debian has issued an advisory for this on March 12: http://www.debian.org/security/2014/dsa-2877
URL: (none) => http://lwn.net/Vulnerabilities/590544/
Severity: normal => major
In VirtualBox, M3, KDE, 32-bit Package(s) under test: lighttpd default install of lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.32-3.6.mga3.i586 is already installed Stop Apache ( httpd ), Start lighttpd http://localhost/ works using index.html at /usr/www/index.html install lighttpd from updates_testing Restart lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.32-3.7.mga3.i586 is already installed http://localhost/ works using index.html at /usr/www/index.html Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK
(In reply to William Kenney from comment #3) Sorry http://localhost/ works using index.html at /usr/www/index.html should be: http://localhost/ works using index.html at /var/www/html/index.html
In VirtualBox, M3, KDE, 64-bit Package(s) under test: lighttpd default install of lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.32-3.6.mga3.x86_64 is already installed Stop Apache ( httpd ), Start lighttpd http://localhost/ works using index.html at /var/www/html/index.html install lighttpd from updates_testing Restart lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.32-3.7.mga3.x86_64 is already installed http://localhost/ works using index.html at /var/www/html/index.html Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: lighttpd default install of lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.33-4.mga4.i586 is already installed Stop Apache ( httpd ), Start lighttpd http://localhost/ works using index.html at /var/www/html/index.html install lighttpd from updates_testing Restart lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.33-4.1.mga4.i586 is already installed http://localhost/ works using index.html at /var/www/html/index.html Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: lighttpd default install of lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.33-4.mga4.x86_64 is already installed Stop Apache ( httpd ), Start lighttpd http://localhost/ works using index.html at /var/www/html/index.html install lighttpd from updates_testing Restart lighttpd [root@localhost wilcal]# urpmi lighttpd Package lighttpd-1.4.33-4.1.mga4.x86_64 is already installed http://localhost/ works using index.html at /var/www/html/index.html Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine using testing proceedure at: https://bugs.mageia.org/show_bug.cgi?id=11662#c3 Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory added to svn. Someone from the sysadmin team please push 13003.adv to updates.
CC: (none) => davidwhodginsWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0133.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED