Debian has issued an advisory on January 11: https://www.debian.org/security/2022/dsa-5040 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Debian and upstream
This is not officially yours, Stig, but seeing that you have done its most recent updates, you at least have seen it before.
Assignee: bugsquad => smelror
Fixed upstream in 1.4.64: http://www.lighttpd.net/2022/1/19/1.4.64/ We'll need to just patch for Mageia 8 since 1.4.64 removes several modules. lighttpd-1.4.64-1.mga9 uploaded for Cauldron.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: lighttpd-1.4.63-1.mga9.src.rpm => lighttpd-1.4.59-1.mga8.src.rpm
openSUSE has issued an advisory for this today (February 2): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6P5G6MJW4Q5RKKPO7TS5CLAAEQ2QUYBE/
Suggested advisory: ======================== The updated packages fix a security vulnerability: In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system. (CVE-2022-22707) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22707 https://www.debian.org/security/2022/dsa-5040 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6P5G6MJW4Q5RKKPO7TS5CLAAEQ2QUYBE/ ======================== Updated packages in core/updates_testing: ======================== lighttpd-mod_webdav-1.4.59-1.1.mga8 lighttpd-mod_cml-1.4.59-1.1.mga8 lighttpd-mod_mysql_vhost-1.4.59-1.1.mga8 lighttpd-mod_auth-1.4.59-1.1.mga8 lighttpd-mod_authn_ldap-1.4.59-1.1.mga8 lighttpd-mod_magnet-1.4.59-1.1.mga8 lighttpd-mod_uploadprogress-1.4.59-1.1.mga8 lighttpd-mod_geoip-1.4.59-1.1.mga8 lighttpd-mod_authn_file-1.4.59-1.1.mga8 lighttpd-mod_ajp13-1.4.59-1.1.mga8 lighttpd-mod_authn_mysql-1.4.59-1.1.mga8 lighttpd-mod_trigger_b4_dl-1.4.59-1.1.mga8 lighttpd-mod_deflate-1.4.59-1.1.mga8 lighttpd-1.4.59-1.1.mga8 from SRPM: lighttpd-1.4.59-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDStatus comment: Patch available from Debian and upstream => (none)CVE: (none) => CVE-2022-22707Assignee: smelror => qa-bugs
MGA8-64, Mate Apr 27 13:02:41 localhost.localdomain [RPM][2909]: install lighttpd-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:41 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_file-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_auth-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_geoip-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_ldap-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_cml-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_trigger_b4_dl-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_deflate-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_webdav-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_mysql_vhost-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_uploadprogress-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_ajp13-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_mysql-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:42 localhost.localdomain [RPM][2909]: install lighttpd-mod_magnet-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_file-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_auth-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_geoip-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_ldap-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_cml-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_trigger_b4_dl-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_deflate-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_webdav-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_mysql_vhost-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_uploadprogress-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_ajp13-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_authn_mysql-1.4.59-1.1.mga8.x86_64: success Apr 27 13:02:43 localhost.localdomain [RPM][2909]: install lighttpd-mod_magnet-1.4.59-1.1.mga8.x86_64: success [root@localhost html]# # curl -I -L localhost HTTP/1.1 200 OK Content-Type: text/html Accept-Ranges: bytes ETag: "3522954346" Last-Modified: Wed, 27 Apr 2022 18:27:16 GMT Content-Length: 144 Date: Wed, 27 Apr 2022 18:29:19 GMT Server: lighttpd/1.4.59 I don't really have time for more tests, but everything seems to have installed alright and the service is running and responding.
CC: (none) => brtians1
(In reply to Brian Rockwell from comment #5) > > I don't really have time for more tests, but everything seems to have > installed alright and the service is running and responding. If I'm reading previous updates correctly, that should be enough. Giving it an OK, and validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0161.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED