Ubuntu
lighttpd package

lighttpd security fixes

Bug #127718 reported by fago on 2007-07-23

270

	Status	Importance	Assigned to
lighttpd (Ubuntu)	Fix Released	High	Áron Sisak
Dapper	Fix Released	High	Áron Sisak
Edgy	Fix Released	High	Áron Sisak
Feisty	Fix Released	High	Áron Sisak

Bug Description

Binary package hint: lighttpd

There are several new security fixes for lighttpd:
http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS

e.g.
http://trac.lighttpd.net/trac/changeset/1875

Can those be backported?

thanks,
fago

CVE References

Áron Sisak (asisak) on 2007-07-23

Changed in lighttpd:
assignee:	nobody → asisak
importance:	Undecided → Low
status:	New → In Progress

Scott Kitterman (kitterman) on 2007-07-25

Changed in lighttpd:
importance:	Low → High

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-08:

[feisty] debdiff to provide security fixes Edit (15.3 KiB, text/plain)

Attached debdiff that provides security fixes. Trying in a feisty pbuilder now.

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-08:

[edgy] debdiff to provide security fixes Edit (15.3 KiB, text/plain)

Edgy debdiff

Revision history for this message

Kees Cook (kees) wrote on 2007-08-08:

Thanks for preparing these diffs! Is the empty file tests/docroot/www/index.html~ actually supposed to be included? That seems like a backup file to me. Have these patches been runtime tested too? The changelog log looks great (very detailed!) the only thing I would change is to include the CVEs for each patch so that the automatic CVE scanner can find them and mark them as "fixed".

Changed in lighttpd:
assignee:	nobody → asisak
importance:	Undecided → High
status:	New → In Progress
assignee:	nobody → asisak
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-08:

debdiff to fix CVEs 2007-3946 - 2007-3950 Edit (22.3 KiB, text/plain)

Two more issues fixed, CVE numbers listed.

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-08:

BTW tests/docroot/www/index.html~ comes from upstream.

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-08:

[edgy] Two more issues fixed, CVE numbers listed. Edit (22.4 KiB, text/plain)

Changed in lighttpd:
assignee:	nobody → asisak
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2007-08-08: Re: [Bug 127718] Re: lighttpd security fixes

On Wed, Aug 08, 2007 at 08:13:41PM -0000, Áron Sisak wrote:
> BTW tests/docroot/www/index.html~ comes from upstream.

Is it required to fix the problems? It appears to be an empty file.

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-08:

tests/docroot/www/index.html~ is needed so that the test suite does not fail.

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-09:

[dapper] debdiff Edit (21.2 KiB, text/plain)

Revision history for this message

Áron Sisak (asisak) wrote on 2007-08-09:

#10

[edgy] debdiff Edit (22.2 KiB, text/plain)

This is (hopefully) the last of the debdiff series.

All latest feisty, edgy and dapper has been tested in pbuilder.
No "real testing" is given to either of them, though.

Revision history for this message

Adam Sommer (asommer) wrote on 2007-08-09:

#11

I tested the fiesty patch:

https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/127718/comments/4

Everything built and worked fine for me.

lighttpd served pages fine and didn't have any errors.

Revision history for this message

Adam Sommer (asommer) wrote on 2007-08-09:

#12

I can also confirm this mod_access bug:

http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_08.txt

bug is present in lighttpd-1.4.13-9ubuntu4 and fixed in lighttpd-1.4.13-9ubuntu4.1 (version created after applying debdiff).

To test I edited this line in /etc/lighttpd/lighttpd.conf:

url.access-deny = ( "~", ".inc", ".txt" )

I created a simple test.txt file in /var/www/ and could not access it using either http://hostname/test.txt or http://hostname/test.txt/.

I just wanted to comment on my testing methods in case anyone's interested.

Revision history for this message

Adam Sommer (asommer) wrote on 2007-08-09:

#13

Tested the dapper patch and it builds and serves pages fine.

I followed the same procedure for dapper as I did for feisty above.

The mod_access bug went away with the update.

Revision history for this message

Kees Cook (kees) wrote on 2007-08-09:

#14

Fixed in gutsy, publications for dapper/feisty are on their way now. :)

Changed in lighttpd:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Released

Revision history for this message

Leonel Nunez (leonelnunez) wrote on 2007-08-09:

#15

aplied this patch http://launchpadlibrarian.net/8743252/lighttpd_1.4.13%7Er1370-1ubuntu1.2.debdiff

builded and tested in Edgy

No problems found

Kees Cook (kees) on 2007-08-09

Changed in lighttpd:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released
status:	In Progress → Fix Committed

Kees Cook (kees) on 2007-08-09

Changed in lighttpd:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #128350

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulighttpd package

lighttpd security fixes

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

Ubuntu
lighttpd package