Fedora has issued an advisory on July 29: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html The issue is fixed upstream in 1.4.36, and in this commit: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2989 Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Release notes for 1.4.36: http://www.lighttpd.net/2015/7/26/1.4.36/ lighttpd-1.4.36-1.mga6 uploaded for Cauldron. I think we should probably update stable to 1.4.36, since it also disables SSLv3.
Version: Cauldron => 5Whiteboard: (none) => MGA4TOO
Make that 1.4.37, since it fixes regressions in 1.4.36: http://www.lighttpd.net/2015/8/30/1.4.37/ Just a reminder that there's also Bug 15948 and Bug 15980 to address in an update.
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated lighttpd packages fix security vulnerability: mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character (CVE-2015-3200). The lighttpd package has been updated to version 1.4.37, fixing this issue and several other bugs. In the Mageia 4 package, improvements have been made to the logrotate configuration and systemd service, allowing graceful reloading of configuration files and proper re-opening of log files (mga#15948, mga#15980). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200 http://www.lighttpd.net/2015/7/26/1.4.36/ http://www.lighttpd.net/2015/8/30/1.4.37/ https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html https://bugs.mageia.org/show_bug.cgi?id=15948 https://bugs.mageia.org/show_bug.cgi?id=15980 https://bugs.mageia.org/show_bug.cgi?id=16555 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.37-1.mga4 lighttpd-mod_auth-1.4.37-1.mga4 lighttpd-mod_cml-1.4.37-1.mga4 lighttpd-mod_compress-1.4.37-1.mga4 lighttpd-mod_mysql_vhost-1.4.37-1.mga4 lighttpd-mod_trigger_b4_dl-1.4.37-1.mga4 lighttpd-mod_webdav-1.4.37-1.mga4 lighttpd-mod_magnet-1.4.37-1.mga4 lighttpd-mod_geoip-1.4.37-1.mga4 lighttpd-1.4.37-1.mga5 lighttpd-mod_auth-1.4.37-1.mga5 lighttpd-mod_cml-1.4.37-1.mga5 lighttpd-mod_compress-1.4.37-1.mga5 lighttpd-mod_mysql_vhost-1.4.37-1.mga5 lighttpd-mod_trigger_b4_dl-1.4.37-1.mga5 lighttpd-mod_webdav-1.4.37-1.mga5 lighttpd-mod_magnet-1.4.37-1.mga5 lighttpd-mod_geoip-1.4.37-1.mga5 from SRPMS: lighttpd-1.4.37-1.mga4.src.rpm lighttpd-1.4.37-1.mga5.src.rpm
CC: (none) => lucaBlocks: (none) => 15948, 15980Assignee: bugsquad => qa-bugsSeverity: normal => major
Tested on a mga5 x86-64 VBox VM. "systemctl start" worked and I was able to view the page. Then I changed the port in /etc/lighttpd/lighttpd.conf and did a "systemctl reload". It worked as well. Marking as MGA5-64-OK.
CC: (none) => shlomifWhiteboard: MGA4TOO => MGA4TOO MGA5-64-OK
Marking as MGA5-32-OK after testing fine on a mga5 i586 VBox VM.
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA5-32-OK
(In reply to Shlomi Fish from comment #5) > Marking as MGA5-32-OK after testing fine on a mga5 i586 VBox VM. MGA4-32-OK .
Whiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK => MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK
Marking as MGA4-64-OK after testing on a vbox VM.
Whiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 & 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK MGA4-64-OK => MGA4TOO advisory MGA5-64-OK MGA5-32-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0338.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
I had a problem with this update: since lighttpd main package was installed before its modules, it failed to restart automatically Sep 9 09:52:36 mail systemd[1]: Stopping Lightning Fast Webserver With Light System Requirements... Sep 9 09:52:36 mail lighttpd-angel[27604]: lighttpd-angel.c.139: child (pid=27608) exited normally with exitcode: 0 Sep 9 09:52:36 mail systemd[1]: Starting Lightning Fast Webserver With Light System Requirements... Sep 9 09:52:37 mail lighttpd[22303]: Syntax OK Sep 9 09:52:37 mail systemd[1]: Started Lightning Fast Webserver With Light System Requirements. Sep 9 09:52:37 mail perl: [RPM] lib64xml2_2-2.9.1-2.3.mga4.x86_64 installed Sep 9 09:52:37 mail lighttpd-angel[22306]: 2015-09-09 09:52:37: (plugin.c.223) dlopen() failed for: /usr/lib64/lighttpd/mod_auth.so /usr/lib64/lighttpd/mod_auth.so: undefined symbol: LI_ltostr Sep 9 09:52:37 mail lighttpd-angel[22306]: 2015-09-09 09:52:37: (server.c.679) loading plugins finally failed Sep 9 09:52:37 mail lighttpd-angel[22306]: lighttpd-angel.c.139: child (pid=22307) exited normally with exitcode: 255 Sep 9 09:52:37 mail perl: [RPM] lib64pcre16_0-8.37-1.mga4.x86_64 installed Sep 9 09:52:37 mail perl: [RPM] lib64pcre32_0-8.37-1.mga4.x86_64 installed Sep 9 09:52:37 mail perl: [RPM] lib64pcre-devel-8.37-1.mga4.x86_64 installed Sep 9 09:52:38 mail perl: [RPM] lib64xml2-devel-2.9.1-2.3.mga4.x86_64 installed Sep 9 09:52:38 mail perl: [RPM] bind-utils-9.9.7.P3-1.mga4.x86_64 installed Sep 9 09:52:38 mail perl: [RPM] lighttpd-mod_auth-1.4.37-1.mga4.x86_64 installed Sep 9 09:52:38 mail perl: [RPM] lighttpd-mod_magnet-1.4.37-1.mga4.x86_64 installed Sep 9 09:52:38 mail perl: [RPM] lib64pcre-devel-8.33-2.1.mga4.x86_64 removed Sep 9 09:52:38 mail perl: [RPM] lighttpd-mod_magnet-1.4.33-4.1.mga4.x86_64 removed Sep 9 09:52:38 mail perl: [RPM] bind-utils-9.9.7.P2-1.mga4.x86_64 removed Sep 9 09:52:38 mail perl: [RPM] lib64xml2-devel-2.9.1-2.2.mga4.x86_64 removed Sep 9 09:52:38 mail perl: [RPM] lighttpd-mod_auth-1.4.33-4.1.mga4.x86_64 removed Sep 9 09:52:38 mail perl: [RPM] lighttpd-1.4.33-4.1.mga4.x86_64 removed afterwards I could start it normally. Maybe lighttpd and its modules should be installed in the same transaction.
It sounds likely. Please create a separate bug report for that issue though Luca. Thanks
Done, bug #16723