Bug 23443 - lighttpd new security issues fixed upstream in 1.4.50
Summary: lighttpd new security issues fixed upstream in 1.4.50
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-14 13:56 CEST by David Walser
Modified: 2018-10-12 01:28 CEST (History)
2 users (show)

See Also:
Source RPM: lighttpd-1.4.45-4.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-14 13:56:59 CEST
Lighttpd 1.4.50 has been released on August 13, fixing three security issues:
http://www.lighttpd.net/2018/8/13/1.4.50/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-14 13:57:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 12:22:47 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2018-08-29 20:47:28 CEST
Fedora has issued an advisory for this on August 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L4IF4NIZOPGQ36R7FFZTGDYNMECSFGMU/
Comment 4 Bruno Cornec 2018-10-11 01:40:13 CEST
shlomif pushed 1.4.50 2018-08-16

CC: (none) => bruno

Comment 5 Bruno Cornec 2018-10-11 01:43:37 CEST
I pushed 1.4.50 in 6 core/updates_testing

Assignee: shlomif => qa-bugs
Status: NEW => ASSIGNED

Comment 6 David Walser 2018-10-12 01:28:38 CEST
Advisory:
========================

Updated lighttpd package fixes security vulnerabilities:

potential path traversal with specific configs or in some use cases in mod_alias.

use-after-free invalid Range requests in core.

References:
http://www.lighttpd.net/2018/8/13/1.4.50/
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.50-1.1.mga6
lighttpd-mod_auth-1.4.50-1.1.mga6
lighttpd-mod_authn_file-1.4.50-1.1.mga6
lighttpd-mod_authn_ldap-1.4.50-1.1.mga6
lighttpd-mod_authn_mysql-1.4.50-1.1.mga6
lighttpd-mod_cml-1.4.50-1.1.mga6
lighttpd-mod_compress-1.4.50-1.1.mga6
lighttpd-mod_deflate-1.4.50-1.1.mga6
lighttpd-mod_mysql_vhost-1.4.50-1.1.mga6
lighttpd-mod_trigger_b4_dl-1.4.50-1.1.mga6
lighttpd-mod_webdav-1.4.50-1.1.mga6
lighttpd-mod_magnet-1.4.50-1.1.mga6
lighttpd-mod_geoip-1.4.50-1.1.mga6
lighttpd-mod_uploadprogress-1.4.50-1.1.mga6

from lighttpd-1.4.50-1.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6


Note You need to log in before you can comment on or make changes to this bug.