Ubuntu
lighttpd package

  1. Bug #107628
  2. Comment #27

Comment 27 for bug 107628

Revision history for this message
Scott Kitterman (kitterman) wrote :

The problem is that when this was reported, there was an updated for Dapper sitting in dapper-proposed:

https://launchpad.net/ubuntu/dapper/+source/lighttpd

That update:

https://launchpad.net/ubuntu/dapper/+source/lighttpd/1.4.11-3ubuntu3.1

has been sitting in dapper-proposed since last November and lacks the fix for this issue. So the existing -proposed package has the vulnerability. The upload you rejected was meant to replace it by fixing the vulnerability.

As it stands right now, should 1.4.11-3ubuntu3.1 ever finish SRU testing and be released, it would re-introduce this vulnerability. The intent of the 1.4.11-3ubuntu3.2 upload was to ensure (in advance) that this would not happen.

Sorry I wasn't clear before (hope I am now).