OpenSuSE has issued an advisory on November 23: http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html This was fixed upstream in 1.4.32, so Cauldron is not affected. Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated lighttpd packages fix security vulnerability: The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header (CVE-2012-5533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533 http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html ======================== Updated packages in core/updates_testing: ======================== lighttpd-1.4.28-6.3.mga1 lighttpd-mod_auth-1.4.28-6.3.mga1 lighttpd-mod_cml-1.4.28-6.3.mga1 lighttpd-mod_compress-1.4.28-6.3.mga1 lighttpd-mod_mysql_vhost-1.4.28-6.3.mga1 lighttpd-mod_trigger_b4_dl-1.4.28-6.3.mga1 lighttpd-mod_webdav-1.4.28-6.3.mga1 lighttpd-mod_magnet-1.4.28-6.3.mga1 lighttpd-1.4.30-5.1.mga2 lighttpd-mod_auth-1.4.30-5.1.mga2 lighttpd-mod_cml-1.4.30-5.1.mga2 lighttpd-mod_compress-1.4.30-5.1.mga2 lighttpd-mod_mysql_vhost-1.4.30-5.1.mga2 lighttpd-mod_trigger_b4_dl-1.4.30-5.1.mga2 lighttpd-mod_webdav-1.4.30-5.1.mga2 lighttpd-mod_magnet-1.4.30-5.1.mga2 from SRPMS: lighttpd-1.4.28-6.3.mga1.src.rpm lighttpd-1.4.30-5.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
possible PoC: http://www.exploit-db.com/exploits/22902/ But I cannot see any effect on old version of lighttpd in mga2
CC: (none) => marc.lattemann
No impact with the old version in Mageia 1 i586 either. I'll just test that the updated version works.
CC: (none) => davidwhodgins
When starting the server, with either the old or new version, the following message is displayed ... Starting lighttpd: 2012-11-26 22:17:21: (network.c.239) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes Any idea what that's supposed to mean? Just curious.
Testing complete on Mageia 2 i586, x86-64, Mageia 1 i586, and x86-64. The message in comment 3 is only displayed in Mageia 1, so not much point checking into it. Could someone from the sysadmin team push the srpm lighttpd-1.4.30-5.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm lighttpd-1.4.28-6.3.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated lighttpd packages fix security vulnerability: The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header (CVE-2012-5533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533 http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html https://bugs.mageia.org/show_bug.cgi?id=8210
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Apparently the PoC didn't work because the flaw was introduced in 1.4.31 (strange that the patch applied anyway). Oops. https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115116.html