Bug 19111 - lighttpd new security issues fixed in 1.4.41
Summary: lighttpd new security issues fixed in 1.4.41
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/696215/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-07-31 21:04 CEST by David Walser
Modified: 2016-11-25 18:05 CET (History)
6 users (show)

See Also:
Source RPM: lighttpd-1.4.39-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-07-31 21:04:40 CEST
Upstream has released version 1.4.41 today (July 31):
http://www.lighttpd.net/2016/7/31/1.4.41/

It has four security fixes, including an "httpoxy" one.

1.4.40 was previously released on July 16:
http://www.lighttpd.net/2016/7/16/1.4.40/

Mageia 5 is also affected.

Hopefully we can get patches, as that's quite a bit of change since 1.4.39.
David Walser 2016-07-31 21:04:50 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-08-01 10:37:30 CEST
Assigning to maintainer

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2016-08-01 13:43:29 CEST
(In reply to David Walser from comment #0)
> Upstream has released version 1.4.41 today (July 31):
> http://www.lighttpd.net/2016/7/31/1.4.41/
> 
> It has four security fixes, including an "httpoxy" one.
> 
> 1.4.40 was previously released on July 16:
> http://www.lighttpd.net/2016/7/16/1.4.40/
> 
> Mageia 5 is also affected.
> 
> Hopefully we can get patches, as that's quite a bit of change since 1.4.39.

Should we update Cauldron to the 1.4.41 version of lighttpd?
Comment 3 Marja Van Waes 2016-08-01 14:08:23 CEST
(In reply to Shlomi Fish from comment #2)

> 
> Should we update Cauldron to the 1.4.41 version of lighttpd?

IINM, David Walser should be going on holiday now :-)

If he doesn't reply: probably better to ask on dev ml.
Or, if preparing the upgrade doesn't take a lot of time: try to get a freeze push request accepted ;-)
Comment 4 David Walser 2016-08-08 21:39:37 CEST
httpoxy issue here is actually CVE-2016-1000212.

URL: (none) => http://lwn.net/Vulnerabilities/696215/

Comment 5 David Walser 2016-08-08 21:42:18 CEST
Debian has issued an advisory for this on August 6:
https://lists.debian.org/debian-security-announce/2016/msg00220.html

The DSA should be here, but for some reason it hasn't been posted:
https://www.debian.org/security/2016/dsa-3642
Comment 6 David Walser 2016-08-11 23:03:57 CEST
I guess it'd be easiest for Cauldron to just update it to 1.4.41 and hope for the best.
Comment 7 David Walser 2016-08-13 03:37:30 CEST
lighttpd-1.4.41-1.mga6 uploaded for Cauldron.  Thanks Shlomi.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 8 Nicolas Lécureuil 2016-11-18 09:57:04 CET
pushed in mga5 updates_testing
SRPMS:  lighttpd-1.4.37-1.1.mga5

CC: (none) => mageia
Assignee: shlomif => qa-bugs

Nicolas Lécureuil 2016-11-18 10:06:06 CET

Assignee: qa-bugs => bugsquad

Nicolas Lécureuil 2016-11-18 10:51:27 CET

Assignee: bugsquad => qa-bugs

Comment 9 David Walser 2016-11-18 15:16:01 CET
Nicolas, what about the other security issues fixed in 1.4.41?

Advisory:
========================

Updated lighttpd packages fix security vulnerability:

Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in
the lighttpd web server. Lighttpd assigned Proxy header values from client
requests to internal HTTP_PROXY environment variables. This could be used to
carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary
hosts (CVE-2016-1000212).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000212
https://www.debian.org/security/2016/dsa-3642
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.37-1.1.mga5
lighttpd-mod_auth-1.4.37-1.1.mga5
lighttpd-mod_cml-1.4.37-1.1.mga5
lighttpd-mod_compress-1.4.37-1.1.mga5
lighttpd-mod_mysql_vhost-1.4.37-1.1.mga5
lighttpd-mod_trigger_b4_dl-1.4.37-1.1.mga5
lighttpd-mod_webdav-1.4.37-1.1.mga5
lighttpd-mod_magnet-1.4.37-1.1.mga5
lighttpd-mod_geoip-1.4.37-1.1.mga5

from lighttpd-1.4.37-1.1.mga5.src.rpm
Comment 10 Nicolas Lécureuil 2016-11-18 15:40:59 CET
is it safe to update in a second step to 1.4.41 ?
Comment 11 David Walser 2016-11-18 16:04:04 CET
(In reply to Nicolas Lécureuil from comment #10)
> is it safe to update in a second step to 1.4.41 ?

Probably.
Dave Hodgins 2016-11-21 21:29:00 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 12 Herman Viaene 2016-11-22 14:19:37 CET
MGA5-32 on AcerD620 Xfce
No installation issues
Tested as per bug 16555 Comment 4 : tested on default port 80 and testport 8080, all OK

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 13 Lewis Smith 2016-11-25 15:09:23 CET
Testing M5_64 real hardware

BEFORE update:
Installed the following from current normal repositories:
 lighttpd-1.4.37-1.mga5
 lighttpd-mod_auth-1.4.37-1.mga5
 lighttpd-mod_cml-1.4.37-1.mga5
 lighttpd-mod_compress-1.4.37-1.mga5
 lighttpd-mod_geoip-1.4.37-1.mga5
 lighttpd-mod_magnet-1.4.37-1.mga5
 lighttpd-mod_mysql_vhost-1.4.37-1.mga5
 lighttpd-mod_trigger_b4_dl-1.4.37-1.mga5
 lighttpd-mod_webdav-1.4.37-1.mga5

# systemctl stop httpd.service
# systemctl start lighttpd.service
# systemctl status lighttpd.service
â lighttpd.service - Lightning Fast Webserver With Light System Requirements
   Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled)
   Active: active (running) since Gwe 2016-11-25 14:44:40 CET; 30s ago
  Process: 26331 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
 Main PID: 26372 (lighttpd-angel)
   CGroup: /system.slice/lighttpd.service
           ââ26372 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf...
           ââ26373 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Browsing to http://localhost[:80] shows the "It works!" page.
http://localhost:8080 showed an Apache Tomcat intro page, because I happen to have Tomcat installed.

AFTER update from 'updates testing' to version '1.4.37-1.1' of all 9 modules:
# systemctl restart lighttpd
# systemctl status lighttpd.service
gave quasi-identical O/P to that shown above.

Browsing to both default (80) and 8080 http://localhost ports showed the same pages as beforehand. The update looks OK. Validating; advisory already there.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 14 Mageia Robot 2016-11-25 18:05:08 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0398.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.