Your message dated Sat, 08 Mar 2008 16:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#469307: fixed in lighttpd 1.4.18-3
has caused the Debian Bug report #469307,
regarding lighttpd: CVE-2008-1111 reveals cgi source if the cgi handler fork
fails
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
469307: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469307
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: lighttpd
Version: 1.4.13-4etch4
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lighttpd.
CVE-2008-1111[0]:
mod_cgi in lighttpd is going to send the source of a cgi
script if forking the cgi handler fails for some reason. it
should result in a 500 instead.
The default installation of Debian is not affected as it
does not include the mod_cgi configuration but this should
be fixed anyway.
You can find a patch for this on:
http://trac.lighttpd.net/trac/changeset/2107
Note the CVE id is not yet available on the mitre site but
it will be soon hopefully.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpzN6eeXdTkf.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.18-3
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive:
lighttpd-doc_1.4.18-3_all.deb
to pool/main/l/lighttpd/lighttpd-doc_1.4.18-3_all.deb
lighttpd-mod-cml_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-cml_1.4.18-3_amd64.deb
lighttpd-mod-magnet_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-magnet_1.4.18-3_amd64.deb
lighttpd-mod-mysql-vhost_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.18-3_amd64.deb
lighttpd-mod-trigger-b4-dl_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.18-3_amd64.deb
lighttpd-mod-webdav_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd-mod-webdav_1.4.18-3_amd64.deb
lighttpd_1.4.18-3.diff.gz
to pool/main/l/lighttpd/lighttpd_1.4.18-3.diff.gz
lighttpd_1.4.18-3.dsc
to pool/main/l/lighttpd/lighttpd_1.4.18-3.dsc
lighttpd_1.4.18-3_amd64.deb
to pool/main/l/lighttpd/lighttpd_1.4.18-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Habouzit <[EMAIL PROTECTED]> (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 08 Mar 2008 17:30:03 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet
lighttpd-mod-webdav
Architecture: source all amd64
Version: 1.4.18-3
Distribution: unstable
Urgency: high
Maintainer: Debian lighttpd maintainers <[EMAIL PROTECTED]>
Changed-By: Pierre Habouzit <[EMAIL PROTECTED]>
Description:
lighttpd - A fast webserver with minimal memory footprint
lighttpd-doc - Documentation for lighttpd
lighttpd-mod-cml - Cache meta language module for lighttpd
lighttpd-mod-magnet - Control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 448160 462907 463368 469307
Changes:
lighttpd (1.4.18-3) unstable; urgency=high
.
* Force use of deprecated ldap interfaces (Closes: 463368),
thanks to Dann Frazier (patches/ldap-deprecated.dpatch).
* Add sample configuration for the mod_rrdtool (Closes: 462907).
* add patches/06_mod_cgi_vuln_fix.dpatch to fix CVE-2008-1111
(Closes: 469307).
* Remove spurious mkdir in debian/rules (Closes: 448160).
* Bump urgency for RC bug fixes.
Files:
fc1f9a0e00abcd2da2e3702bf6ea74c2 1254 web optional lighttpd_1.4.18-3.dsc
0af5ecf8d8ab3a9b65a24eb744204a1f 30793 web optional lighttpd_1.4.18-3.diff.gz
35fb1a9eb035aaeb988234d23f115bbb 101980 doc optional
lighttpd-doc_1.4.18-3_all.deb
218087db4dbb8c461a1d3b2250e36704 312112 web optional
lighttpd_1.4.18-3_amd64.deb
b419be5a4460c29a2f75e799d62ae27d 63084 web optional
lighttpd-mod-mysql-vhost_1.4.18-3_amd64.deb
030d551553a6f6e0d4f382522bda981e 64738 web optional
lighttpd-mod-trigger-b4-dl_1.4.18-3_amd64.deb
b9e59c5dc32e3c383f9811551ba88933 68082 web optional
lighttpd-mod-cml_1.4.18-3_amd64.deb
76519c4f52c5df3099fa4bdf1551e0f4 67770 web optional
lighttpd-mod-magnet_1.4.18-3_amd64.deb
0d36b9dab714c226dadbc0f3a3d9c806 74760 web optional
lighttpd-mod-webdav_1.4.18-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH0r+lvGr7W6HudhwRAhoxAJsEtpRXGEKqr/CShxdNuNOyHsKYVACfWmWv
ZQ0yigamzYekx1oXe05kdKI=
=v69q
-----END PGP SIGNATURE-----
--- End Message ---
