Bug 8210 - lighttpd new security issue CVE-2012-5533
: lighttpd new security issue CVE-2012-5533
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/526649/
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-26 17:00 CET by David Walser
Modified: 2013-09-04 03:12 CEST (History)
4 users (show)

See Also:
Source RPM: lighttpd-1.4.30-5.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-11-26 17:00:28 CET
OpenSuSE has issued an advisory on November 23:
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html

This was fixed upstream in 1.4.32, so Cauldron is not affected.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated lighttpd packages fix security vulnerability:

The http_request_split_value function in request.c in lighttpd before 1.4.32
allows remote attackers to cause a denial of service (infinite loop) via a
request with a header containing an empty token, as demonstrated using the
"Connection: TE,,Keep-Alive" header (CVE-2012-5533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
========================

Updated packages in core/updates_testing:
========================
lighttpd-1.4.28-6.3.mga1
lighttpd-mod_auth-1.4.28-6.3.mga1
lighttpd-mod_cml-1.4.28-6.3.mga1
lighttpd-mod_compress-1.4.28-6.3.mga1
lighttpd-mod_mysql_vhost-1.4.28-6.3.mga1
lighttpd-mod_trigger_b4_dl-1.4.28-6.3.mga1
lighttpd-mod_webdav-1.4.28-6.3.mga1
lighttpd-mod_magnet-1.4.28-6.3.mga1
lighttpd-1.4.30-5.1.mga2
lighttpd-mod_auth-1.4.30-5.1.mga2
lighttpd-mod_cml-1.4.30-5.1.mga2
lighttpd-mod_compress-1.4.30-5.1.mga2
lighttpd-mod_mysql_vhost-1.4.30-5.1.mga2
lighttpd-mod_trigger_b4_dl-1.4.30-5.1.mga2
lighttpd-mod_webdav-1.4.30-5.1.mga2
lighttpd-mod_magnet-1.4.30-5.1.mga2

from SRPMS:
lighttpd-1.4.28-6.3.mga1.src.rpm
lighttpd-1.4.30-5.1.mga2.src.rpm
Comment 1 Marc Lattemann 2012-11-26 21:22:57 CET
possible PoC: http://www.exploit-db.com/exploits/22902/

But I cannot see any effect on old version of lighttpd in mga2
Comment 2 Dave Hodgins 2012-11-27 04:15:14 CET
No impact with the old version in Mageia 1 i586 either.

I'll just test that the updated version works.
Comment 3 Dave Hodgins 2012-11-27 04:19:06 CET
When starting the server, with either the old or new version, the following
message is displayed ...
Starting lighttpd: 2012-11-26 22:17:21: (network.c.239) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes

Any idea what that's supposed to mean?  Just curious.
Comment 4 Dave Hodgins 2012-11-27 04:24:37 CET
Testing complete on Mageia 2 i586, x86-64, Mageia 1 i586, and x86-64.

The message in comment 3 is only displayed in Mageia 1, so not much
point checking into it.

Could someone from the sysadmin team push the srpm
lighttpd-1.4.30-5.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
lighttpd-1.4.28-6.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated lighttpd packages fix security vulnerability:

The http_request_split_value function in request.c in lighttpd before 1.4.32
allows remote attackers to cause a denial of service (infinite loop) via a
request with a header containing an empty token, as demonstrated using the
"Connection: TE,,Keep-Alive" header (CVE-2012-5533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html

https://bugs.mageia.org/show_bug.cgi?id=8210
Comment 5 Thomas Backlund 2012-11-29 22:20:20 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345
Comment 6 David Walser 2013-09-04 03:12:29 CEST
Apparently the PoC didn't work because the flaw was introduced in 1.4.31 (strange that the patch applied anyway).  Oops.

https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115116.html

Note You need to log in before you can comment on or make changes to this bug.