Upstream has released version 1.4.41 today (July 31): http://www.lighttpd.net/2016/7/31/1.4.41/ It has four security fixes, including an "httpoxy" one. 1.4.40 was previously released on July 16: http://www.lighttpd.net/2016/7/16/1.4.40/ Mageia 5 is also affected. Hopefully we can get patches, as that's quite a bit of change since 1.4.39.
Whiteboard: (none) => MGA5TOO
Assigning to maintainer
CC: (none) => marja11Assignee: bugsquad => shlomif
(In reply to David Walser from comment #0) > Upstream has released version 1.4.41 today (July 31): > http://www.lighttpd.net/2016/7/31/1.4.41/ > > It has four security fixes, including an "httpoxy" one. > > 1.4.40 was previously released on July 16: > http://www.lighttpd.net/2016/7/16/1.4.40/ > > Mageia 5 is also affected. > > Hopefully we can get patches, as that's quite a bit of change since 1.4.39. Should we update Cauldron to the 1.4.41 version of lighttpd?
(In reply to Shlomi Fish from comment #2) > > Should we update Cauldron to the 1.4.41 version of lighttpd? IINM, David Walser should be going on holiday now :-) If he doesn't reply: probably better to ask on dev ml. Or, if preparing the upgrade doesn't take a lot of time: try to get a freeze push request accepted ;-)
httpoxy issue here is actually CVE-2016-1000212.
URL: (none) => http://lwn.net/Vulnerabilities/696215/
Debian has issued an advisory for this on August 6: https://lists.debian.org/debian-security-announce/2016/msg00220.html The DSA should be here, but for some reason it hasn't been posted: https://www.debian.org/security/2016/dsa-3642
I guess it'd be easiest for Cauldron to just update it to 1.4.41 and hope for the best.
lighttpd-1.4.41-1.mga6 uploaded for Cauldron. Thanks Shlomi.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
pushed in mga5 updates_testing SRPMS: lighttpd-1.4.37-1.1.mga5
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Assignee: qa-bugs => bugsquad
Assignee: bugsquad => qa-bugs
Nicolas, what about the other security issues fixed in 1.4.41? Advisory: ======================== Updated lighttpd packages fix security vulnerability: Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTP_PROXY environment variables. This could be used to carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary hosts (CVE-2016-1000212). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000212 https://www.debian.org/security/2016/dsa-3642 ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.37-1.1.mga5 lighttpd-mod_auth-1.4.37-1.1.mga5 lighttpd-mod_cml-1.4.37-1.1.mga5 lighttpd-mod_compress-1.4.37-1.1.mga5 lighttpd-mod_mysql_vhost-1.4.37-1.1.mga5 lighttpd-mod_trigger_b4_dl-1.4.37-1.1.mga5 lighttpd-mod_webdav-1.4.37-1.1.mga5 lighttpd-mod_magnet-1.4.37-1.1.mga5 lighttpd-mod_geoip-1.4.37-1.1.mga5 from lighttpd-1.4.37-1.1.mga5.src.rpm
is it safe to update in a second step to 1.4.41 ?
(In reply to Nicolas Lécureuil from comment #10) > is it safe to update in a second step to 1.4.41 ? Probably.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on AcerD620 Xfce No installation issues Tested as per bug 16555 Comment 4 : tested on default port 80 and testport 8080, all OK
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Testing M5_64 real hardware BEFORE update: Installed the following from current normal repositories: lighttpd-1.4.37-1.mga5 lighttpd-mod_auth-1.4.37-1.mga5 lighttpd-mod_cml-1.4.37-1.mga5 lighttpd-mod_compress-1.4.37-1.mga5 lighttpd-mod_geoip-1.4.37-1.mga5 lighttpd-mod_magnet-1.4.37-1.mga5 lighttpd-mod_mysql_vhost-1.4.37-1.mga5 lighttpd-mod_trigger_b4_dl-1.4.37-1.mga5 lighttpd-mod_webdav-1.4.37-1.mga5 # systemctl stop httpd.service # systemctl start lighttpd.service # systemctl status lighttpd.service â lighttpd.service - Lightning Fast Webserver With Light System Requirements Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled) Active: active (running) since Gwe 2016-11-25 14:44:40 CET; 30s ago Process: 26331 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS) Main PID: 26372 (lighttpd-angel) CGroup: /system.slice/lighttpd.service ââ26372 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf... ââ26373 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf Browsing to http://localhost[:80] shows the "It works!" page. http://localhost:8080 showed an Apache Tomcat intro page, because I happen to have Tomcat installed. AFTER update from 'updates testing' to version '1.4.37-1.1' of all 9 modules: # systemctl restart lighttpd # systemctl status lighttpd.service gave quasi-identical O/P to that shown above. Browsing to both default (80) and 8080 http://localhost ports showed the same pages as beforehand. The update looks OK. Validating; advisory already there.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0398.html
Status: NEW => RESOLVEDResolution: (none) => FIXED