16555 – lighttpd new security issue CVE-2015-3200

Bug 16555 - lighttpd new security issue CVE-2015-3200

Summary: lighttpd new security issue CVE-2015-3200

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/653876/
Whiteboard:	MGA4TOO advisory MGA5-64-OK MGA5-32-O...
Keywords:	validated_update

Depends on:
Blocks:	15948 15980
	Show dependency tree / graph

Reported:	2015-08-07 21:42 CEST by David Walser
Modified:	2015-09-09 12:04 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	lighttpd-1.4.35-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-08-07 21:42:35 CEST

Fedora has issued an advisory on July 29:
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html

The issue is fixed upstream in 1.4.36, and in this commit:
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2989

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-08-07 21:50:56 CEST

Release notes for 1.4.36:
http://www.lighttpd.net/2015/7/26/1.4.36/

lighttpd-1.4.36-1.mga6 uploaded for Cauldron.

I think we should probably update stable to 1.4.36, since it also disables SSLv3.

Version: Cauldron => 5
Whiteboard: (none) => MGA4TOO

Comment 2 David Walser 2015-09-01 03:01:23 CEST

Make that 1.4.37, since it fixes regressions in 1.4.36:
http://www.lighttpd.net/2015/8/30/1.4.37/

Just a reminder that there's also Bug 15948 and Bug 15980 to address in an update.

Comment 3 David Walser 2015-09-02 17:20:38 CEST

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated lighttpd packages fix security vulnerability:

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary
log entries via a basic HTTP authentication string without a colon character,
as demonstrated by a string containing a NULL and new line character
(CVE-2015-3200).

The lighttpd package has been updated to version 1.4.37, fixing this issue and
several other bugs.

In the Mageia 4 package, improvements have been made to the logrotate
configuration and systemd service, allowing graceful reloading of
configuration files and proper re-opening of log files (mga#15948, mga#15980).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200
http://www.lighttpd.net/2015/7/26/1.4.36/
http://www.lighttpd.net/2015/8/30/1.4.37/
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html
https://bugs.mageia.org/show_bug.cgi?id=15948
https://bugs.mageia.org/show_bug.cgi?id=15980
https://bugs.mageia.org/show_bug.cgi?id=16555
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.37-1.mga4
lighttpd-mod_auth-1.4.37-1.mga4
lighttpd-mod_cml-1.4.37-1.mga4
lighttpd-mod_compress-1.4.37-1.mga4
lighttpd-mod_mysql_vhost-1.4.37-1.mga4
lighttpd-mod_trigger_b4_dl-1.4.37-1.mga4
lighttpd-mod_webdav-1.4.37-1.mga4
lighttpd-mod_magnet-1.4.37-1.mga4
lighttpd-mod_geoip-1.4.37-1.mga4
lighttpd-1.4.37-1.mga5
lighttpd-mod_auth-1.4.37-1.mga5
lighttpd-mod_cml-1.4.37-1.mga5
lighttpd-mod_compress-1.4.37-1.mga5
lighttpd-mod_mysql_vhost-1.4.37-1.mga5
lighttpd-mod_trigger_b4_dl-1.4.37-1.mga5
lighttpd-mod_webdav-1.4.37-1.mga5
lighttpd-mod_magnet-1.4.37-1.mga5
lighttpd-mod_geoip-1.4.37-1.mga5

from SRPMS:
lighttpd-1.4.37-1.mga4.src.rpm
lighttpd-1.4.37-1.mga5.src.rpm

CC: (none) => luca
Blocks: (none) => 15948, 15980
Assignee: bugsquad => qa-bugs
Severity: normal => major

Comment 4 Shlomi Fish 2015-09-07 16:35:06 CEST

Tested on a mga5 x86-64 VBox VM. "systemctl start" worked and I was able to view the page. Then I changed the port in /etc/lighttpd/lighttpd.conf and did a "systemctl reload". It worked as well. Marking as MGA5-64-OK.

CC: (none) => shlomif
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 5 Shlomi Fish 2015-09-07 16:43:02 CEST

Marking as MGA5-32-OK after testing fine on a mga5 i586 VBox VM.

Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA5-32-OK

Comment 6 Shlomi Fish 2015-09-07 16:48:37 CEST

(In reply to Shlomi Fish from comment #5)
> Marking as MGA5-32-OK after testing fine on a mga5 i586 VBox VM.

MGA4-32-OK .

Whiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK => MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK

Comment 7 Shlomi Fish 2015-09-07 16:57:17 CEST

Marking as MGA4-64-OK after testing on a vbox VM.

Whiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2015-09-07 17:13:17 CEST

Validating. Advisory uploaded.

Please push to 4 & 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK MGA4-32-OK MGA4-64-OK => MGA4TOO advisory MGA5-64-OK MGA5-32-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-09-08 09:21:43 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0338.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 Luca Olivetti 2015-09-09 10:01:24 CEST

I had a problem with this update: since lighttpd main package was installed before its modules, it failed to restart automatically

Sep  9 09:52:36 mail systemd[1]: Stopping Lightning Fast Webserver With Light System Requirements...
Sep  9 09:52:36 mail lighttpd-angel[27604]: lighttpd-angel.c.139: child (pid=27608) exited normally with exitcode: 0
Sep  9 09:52:36 mail systemd[1]: Starting Lightning Fast Webserver With Light System Requirements...
Sep  9 09:52:37 mail lighttpd[22303]: Syntax OK
Sep  9 09:52:37 mail systemd[1]: Started Lightning Fast Webserver With Light System Requirements.
Sep  9 09:52:37 mail perl: [RPM] lib64xml2_2-2.9.1-2.3.mga4.x86_64 installed
Sep  9 09:52:37 mail lighttpd-angel[22306]: 2015-09-09 09:52:37: (plugin.c.223) dlopen() failed for: /usr/lib64/lighttpd/mod_auth.so /usr/lib64/lighttpd/mod_auth.so: undefined symbol: LI_ltostr
Sep  9 09:52:37 mail lighttpd-angel[22306]: 2015-09-09 09:52:37: (server.c.679) loading plugins finally failed
Sep  9 09:52:37 mail lighttpd-angel[22306]: lighttpd-angel.c.139: child (pid=22307) exited normally with exitcode: 255
Sep  9 09:52:37 mail perl: [RPM] lib64pcre16_0-8.37-1.mga4.x86_64 installed
Sep  9 09:52:37 mail perl: [RPM] lib64pcre32_0-8.37-1.mga4.x86_64 installed
Sep  9 09:52:37 mail perl: [RPM] lib64pcre-devel-8.37-1.mga4.x86_64 installed
Sep  9 09:52:38 mail perl: [RPM] lib64xml2-devel-2.9.1-2.3.mga4.x86_64 installed
Sep  9 09:52:38 mail perl: [RPM] bind-utils-9.9.7.P3-1.mga4.x86_64 installed
Sep  9 09:52:38 mail perl: [RPM] lighttpd-mod_auth-1.4.37-1.mga4.x86_64 installed
Sep  9 09:52:38 mail perl: [RPM] lighttpd-mod_magnet-1.4.37-1.mga4.x86_64 installed
Sep  9 09:52:38 mail perl: [RPM] lib64pcre-devel-8.33-2.1.mga4.x86_64 removed
Sep  9 09:52:38 mail perl: [RPM] lighttpd-mod_magnet-1.4.33-4.1.mga4.x86_64 removed
Sep  9 09:52:38 mail perl: [RPM] bind-utils-9.9.7.P2-1.mga4.x86_64 removed
Sep  9 09:52:38 mail perl: [RPM] lib64xml2-devel-2.9.1-2.2.mga4.x86_64 removed
Sep  9 09:52:38 mail perl: [RPM] lighttpd-mod_auth-1.4.33-4.1.mga4.x86_64 removed
Sep  9 09:52:38 mail perl: [RPM] lighttpd-1.4.33-4.1.mga4.x86_64 removed


afterwards I could start it normally.

Maybe lighttpd and its modules should be installed in the same transaction.

Comment 11 claire robinson 2015-09-09 11:13:27 CEST

It sounds likely. Please create a separate bug report for that issue though Luca.

Thanks

Comment 12 Luca Olivetti 2015-09-09 12:04:57 CEST

Done, bug #16723

Note You need to log in before you can comment on or make changes to this bug.