Bug 30912 - lighttpd new security issues CVE-2022-37797 and CVE-2022-41556
Summary: lighttpd new security issues CVE-2022-37797 and CVE-2022-41556
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-29 14:17 CEST by David Walser
Modified: 2022-10-13 22:06 CEST (History)
4 users (show)

See Also:
Source RPM: lighttpd-1.4.59-1.1.mga8.src.rpm
CVE: CVE-2022-37797, CVE-2022-41556
Status comment:


Attachments

Description David Walser 2022-09-29 14:17:23 CEST
Debian has issued an advisory on September 28:
https://www.debian.org/security/2022/dsa-5243

The issues are fixed upstream in 1.4.67.
David Walser 2022-09-29 14:17:39 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 1.4.67

Comment 1 Nicolas Salguero 2022-09-29 14:50:26 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. (CVE-2022-37797)

A resource leak in mod_fastcgi and mod_scgi could lead to a denial of service after a large number of bad HTTP requests. (CVE-2022-41556)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41556
https://www.debian.org/security/2022/dsa-5243
========================

Updated packages in core/updates_testing:
========================
lighttpd-mod_webdav-1.4.59-1.2.mga8
lighttpd-mod_cml-1.4.59-1.2.mga8
lighttpd-mod_mysql_vhost-1.4.59-1.2.mga8
lighttpd-mod_auth-1.4.59-1.2.mga8
lighttpd-mod_authn_ldap-1.4.59-1.2.mga8
lighttpd-mod_magnet-1.4.59-1.2.mga8
lighttpd-mod_uploadprogress-1.4.59-1.2.mga8
lighttpd-mod_geoip-1.4.59-1.2.mga8
lighttpd-mod_authn_file-1.4.59-1.2.mga8
lighttpd-mod_ajp13-1.4.59-1.2.mga8
lighttpd-mod_authn_mysql-1.4.59-1.2.mga8
lighttpd-mod_trigger_b4_dl-1.4.59-1.2.mga8
lighttpd-mod_deflate-1.4.59-1.2.mga8
lighttpd-1.4.59-1.2.mga8

from SRPM:
lighttpd-1.4.59-1.2.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-37797, CVE-2022-41556
Status comment: Fixed upstream in 1.4.67 => (none)
Assignee: smelror => qa-bugs

Comment 2 Thomas Andrews 2022-10-13 01:55:36 CEST
Tested in a mga8-64 Plasma VirtualBox guest.

Installed current versions of the above packages, then...

# systemctl start lighttpd
# systemctl status lighttpd
● lighttpd.service - Lightning Fast Webserver With Light System Requirements
     Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-10-12 19:34:09 EDT; 18s ago
    Process: 11176 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 11177 (lighttpd-angel)
      Tasks: 2 (limit: 4695)
     Memory: 924.0K
        CPU: 18ms
     CGroup: /system.slice/lighttpd.service
             ├─11177 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf
             └─11178 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Oct 12 19:34:09 localhost systemd[1]: Starting Lightning Fast Webserver With Light System Requirements...
Oct 12 19:34:09 localhost lighttpd[11176]: Syntax OK
Oct 12 19:34:09 localhost systemd[1]: Started Lightning Fast Webserver With Light System Requirements.
Oct 12 19:34:09 localhost lighttpd-angel[11178]: 2022-10-12 19:34:09: network.c.221) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty ad>
~

Stopped lighttpd service. Used qarepo to download and update the above packages, with no installation issues, then...

# systemctl start lighttpd
# systemctl status lighttpd
● lighttpd.service - Lightning Fast Webserver With Light System Requirements
     Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-10-12 19:43:45 EDT; 34s ago
    Process: 23209 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 23210 (lighttpd-angel)
      Tasks: 2 (limit: 4695)
     Memory: 912.0K
        CPU: 19ms
     CGroup: /system.slice/lighttpd.service
             ├─23210 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf
             └─23211 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Oct 12 19:43:45 localhost systemd[1]: Starting Lightning Fast Webserver With Light System Requirements...
Oct 12 19:43:45 localhost lighttpd[23209]: Syntax OK
Oct 12 19:43:45 localhost systemd[1]: Started Lightning Fast Webserver With Light System Requirements.
Oct 12 19:43:45 localhost lighttpd-angel[23211]: 2022-10-12 19:43:45: network.c.221) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty ad>

No differences that I see, other than timestamps. Looks OK to me.

Validating. Advisory in Comment 1.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-13 21:00:02 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 3 Mageia Robot 2022-10-13 22:06:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0369.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.