Lighttpd 1.4.50 has been released on August 13, fixing three security issues: http://www.lighttpd.net/2018/8/13/1.4.50/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Fedora has issued an advisory for this on August 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L4IF4NIZOPGQ36R7FFZTGDYNMECSFGMU/
Fedora 28 version of the advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PDOQELVRGJWNLEIWYDFTNM2UTWDC7ZKB/
shlomif pushed 1.4.50 2018-08-16
CC: (none) => bruno
I pushed 1.4.50 in 6 core/updates_testing
Assignee: shlomif => qa-bugsStatus: NEW => ASSIGNED
Advisory: ======================== Updated lighttpd package fixes security vulnerabilities: potential path traversal with specific configs or in some use cases in mod_alias. use-after-free invalid Range requests in core. References: http://www.lighttpd.net/2018/8/13/1.4.50/ ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.50-1.1.mga6 lighttpd-mod_auth-1.4.50-1.1.mga6 lighttpd-mod_authn_file-1.4.50-1.1.mga6 lighttpd-mod_authn_ldap-1.4.50-1.1.mga6 lighttpd-mod_authn_mysql-1.4.50-1.1.mga6 lighttpd-mod_cml-1.4.50-1.1.mga6 lighttpd-mod_compress-1.4.50-1.1.mga6 lighttpd-mod_deflate-1.4.50-1.1.mga6 lighttpd-mod_mysql_vhost-1.4.50-1.1.mga6 lighttpd-mod_trigger_b4_dl-1.4.50-1.1.mga6 lighttpd-mod_webdav-1.4.50-1.1.mga6 lighttpd-mod_magnet-1.4.50-1.1.mga6 lighttpd-mod_geoip-1.4.50-1.1.mga6 lighttpd-mod_uploadprogress-1.4.50-1.1.mga6 from lighttpd-1.4.50-1.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Stopped httpd, then # systemctl start lighttpd # systemctl -l status lighttpd ● lighttpd.service - Lightning Fast Webserver With Light System Requirements Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled) Active: inactive (dead) since wo 2018-10-24 12:00:44 CEST; 3s ago Process: 2112 ExecStart=/usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf (code=ex Process: 2104 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exite Main PID: 2112 (code=exited, status=0/SUCCESS) and of course no connection in firefox # journalctl -xe | grep light -- Subject: Unit lighttpd.service has begun start-up -- Unit lighttpd.service has begun starting up. okt 24 12:00:44 mach6.hviaene.thuis lighttpd[2104]: Syntax OK -- Subject: Unit lighttpd.service has finished start-up -- Unit lighttpd.service has finished starting up. okt 24 12:00:44 mach6.hviaene.thuis lighttpd-angel[2112]: 2018-10-24 12:00:44: (network.c.167) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes okt 24 12:00:44 mach6.hviaene.thuis lighttpd-angel[2112]: 2018-10-24 12:00:44: (network.c.281) socket failed: Address family not supported by protocol okt 24 12:00:44 mach6.hviaene.thuis lighttpd-angel[2112]: lighttpd-angel.c.148: child (pid=2115) exited normally with exitcode: 255 So edited /etc/lighttpd/lighttpd.conf to server.use-ipv6 = "disable" (default was "enable") then# systemctl start lighttpd [root@mach6 ~]# systemctl -l status lighttpd ● lighttpd.service - Lightning Fast Webserver With Light System Requirements Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled) Active: active (running) since wo 2018-10-24 12:06:52 CEST; 7s ago Process: 4353 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status Main PID: 4357 (lighttpd-angel) CGroup: /system.slice/lighttpd.service ├─4357 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf └─4360 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf I could connect on port 80 and as per bug 16555, changed port to 8080 in /etc/lighttpd/lighttpd.conf and restarted lighttpd, also OK. So lighttpd works OK , but not in its default /etc/lighttpd/lighttpd.conf
CC: (none) => herman.viaene
Upstream has released 1.4.51 on October 14: https://www.lighttpd.net/2018/10/14/1.4.51/ It fixes two security issues. Fedora has issued an advisory for this on October 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NCAH6ZBU4V4FMPV4C2LSPAFVRRM2UCVD/
Summary: lighttpd new security issues fixed upstream in 1.4.50 => lighttpd new security issues fixed upstream in 1.4.51Keywords: (none) => feedback
lighttpd-1.4.51-1.mga7 is already in cauldron
lighttpd-1.4.51-1.mga6 submitted for mga6 update
Advisory: ======================== Updated lighttpd package fixes security vulnerabilities: Potential path traversal with specific configs or in some use cases in mod_alias. use-after-free invalid Range requests in core. Process headers after combining folded headers in core. Skip username "." and ".." in mod_userdir. References: http://www.lighttpd.net/2018/8/13/1.4.50/ https://www.lighttpd.net/2018/10/14/1.4.51/ ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.51-1.mga6 lighttpd-mod_auth-1.4.51-1.mga6 lighttpd-mod_authn_file-1.4.51-1.mga6 lighttpd-mod_authn_ldap-1.4.51-1.mga6 lighttpd-mod_authn_mysql-1.4.51-1.mga6 lighttpd-mod_cml-1.4.51-1.mga6 lighttpd-mod_compress-1.4.51-1.mga6 lighttpd-mod_deflate-1.4.51-1.mga6 lighttpd-mod_mysql_vhost-1.4.51-1.mga6 lighttpd-mod_trigger_b4_dl-1.4.51-1.mga6 lighttpd-mod_webdav-1.4.51-1.mga6 lighttpd-mod_magnet-1.4.51-1.mga6 lighttpd-mod_geoip-1.4.51-1.mga6 lighttpd-mod_uploadprogress-1.4.51-1.mga6 from lighttpd-1.4.51-1.mga6.src.rpm
Keywords: feedback => (none)
Same result and issue as per Comment 7.
That sounds fine. It's to be expected if you disabled IPv6 in your network configuration.
That is the case, so test is OK for me.
Whiteboard: (none) => MGA6-32-OK
Validating, then. Advisory in Comment 11.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0430.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
The path traversal fixed in 1.4.50 got CVE-2018-19052: https://lists.opensuse.org/opensuse-updates/2019-10/msg00120.html