A vulnerability has been found in lighttpd (CVE-2011-4362): An signedness error, leading to out of stack-based buffer read flaw was found in the way lighttpd, a lightning fast webserver with light system requirements, processed certain invalid base64 HTTP authentication tokens. A remote attacker could provide a specially crafted HTTP authentication request, leading to denial of service (lighttpd daemon crash due to an signedness error while processing the token). Upstream announcement: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt The updated packages have been patched to fix this issue.
Testing completed on x86_64 Installed lighttpd-1.4.28-6.1.mga1 Enabled mod_auth and configured static web site with htdigest authentication. Still need testing on i586
CC: (none) => derekjenn
(In reply to comment #1) > Testing completed on x86_64 > Installed lighttpd-1.4.28-6.1.mga1 > Enabled mod_auth and configured static web site with htdigest authentication. That's the core release version. http://twiska.zarb.org/mageia/distrib/1/i586/media/core/updates_testing/ does not contain lighttpd. Funda, can you check the build system to see why it packages are not showing up on the mirrors? I'm currently looking at http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2806/diff to figure out how to trigger the error.
CC: (none) => davidwhodgins
Arrgh. Sorry, please ignore comment 2. Still looking at how to trigger the error, to confirm it's fixed.
From what I have read, to trigger the error you have to enter a password of up to 256 characters containing codes above 0x7f to cause a segfault. Not easy to do with a keyboard.
From the readmine link, It looked like something like wget http://127.0.0.1//server-status --header "Authorization: Basic \x80mFuOmphb" would trigger the bug, but it doesn't seem to. Without a working poc, all we can test is that the package still works, which it does. The one nitpick I have, is that the default configuration has var.server_root = "/srv/www" instead of var.server_root = "/var/www". That is not a reqression, so the update can be validated. Funda do you want to fix the /etc/lighttpd/lighttpd.conf or should I go ahead and validate this update?
var.server_root = "/srv/www" is for operating in chroot environment. It does not have any effect in normal operation. For me lightttp works perfectly well with var.server_root left at its default value.
var.server_root = "/srv/www" fixed => http://svnweb.mageia.org/packages?view=revision&revision=175038
I am not convinced that var.server.root needs to be changed. The document root is server.document-root = "/var/www/html" The lighttpd configuration guide does not mention var.server_root, and nor does the list of configuration options. http://redmine.lighttpd.net/wiki/lighttpd/TutorialConfiguration http://redmine.lighttpd.net/wiki/lighttpd/Docs:ConfigurationOptions
Ok. Validating the update. Could someone from the sysadmin team push the srpm lighttpd-1.4.28-6.2.mga1.src.rpm from Core Updates Testing to Core Updates Advisory: A vulnerability has been found in lighttpd (CVE-2011-4362): An signedness error, leading to out of stack-based buffer read flaw was found in the way lighttpd, a lightning fast webserver with light system requirements, processed certain invalid base64 HTTP authentication tokens. A remote attacker could provide a specially crafted HTTP authentication request, leading to denial of service (lighttpd daemon crash due to an signedness error while processing the token). Upstream announcement: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt The updated packages have been patched to fix this issue. https://bugs.mageia.org/show_bug.cgi?id=3552
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED