Hi Glenn, On Mon, Aug 18, 2025 at 03:31:59AM -0400, Glenn Strauss wrote: > On Fri, Aug 15, 2025 at 09:40:39PM +0200, Salvatore Bonaccorso wrote: > > Hi Glenn, > > > > On Fri, Aug 15, 2025 at 03:19:14AM -0400, Glenn Strauss wrote: > > > Salvatore: lighttpd is not directly vulnerable to HTTP/2 MadeYouReset > > > > > > As published in https://kb.cert.org/vuls/id/767506 > > > > Vendor Statement > > > > > > > > lighttpd is not directly vulnerable to HTTP/2 MadeYouReset. lighttpd > > > > tracks request streams with connections to backends, makes a single > > > > request on each backend socket connection, and closes the socket (or > > > > kill()s the CGI) when the request stream is reset. > > > > > > > > > On Fri, Aug 15, 2025 at 06:09:43AM +0200, Salvatore Bonaccorso wrote: > > > > The following vulnerability was published for lighttpd. > > > > CVE-2025-8671[0]: > > > > > > *** > > > Please contact security at lighttpd.net prior to filing a CVE > > > and prior to publishing a CVE. > > > *** > > > > > > lighttpd 1.4.80 adds *detection* of HTTP/2 MadeYouReset so that log > > > watchers such as fail2ban can be configured to block offending IPs. > > > > Right, and this is the mentioned references in the bugeport: > > https://www.lighttpd.net/2025/8/13/1.4.80/ > > https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 > > > > > I see now that the lighttpd release notes could have been more explicit > > > that lighttpd is not directly vulnerable to MadeYouReset, the same way > > > that lighttpd was not directly vulnerable to Rapid Reset attacks. > > > > > > While lighttpd 1.4.80 will close connections to offending clients, > > > an attacker can merely reconnect and continue the attack, so the > > > disconnection is a small mitigation. At the end of the day, a DoS > > > attack is a DoS attack and more effective blocks can be performed > > > at the firewall or upstream, especially across a farm of independent > > > lighttpd servers. > > > > > > Adding detection and error logging for independent lighttpd servers > > > across a server farm is one of the reasons lighttpd 1.4.80 adds > > > detection and logging for MadeYouReset attacks. > > > > Thanks, this make sense, we will update the status for the > > security-tracker in Debian. > > > > That is it is surely sensible to make the 1.4.80 update for unstable > > and so forky and maybe if feasible add this dedection back as well > > for trixie and bookworm, what is your take? (this via upcoming point > > releases). > > > > Regards, > > Salvatore > > I plan to submit updated packages for lighttpd 1.4.81 > in early Sept before the Trixie point release. > > I will be AFK for a few weeks, and do not want to rush changes if I > won't be able to respond in a timely manner. > > In the meantime, if Debian Developers would like to backport the > lighttpd 1.4.80 MadeYouReset detection patch to lighttpd 1.4.79, > please go ahead: > https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 > > Otherwise, I plan to do so in September.
Your proposed plan and doing it in semptember with the point release is perfecly fine. Thank you, Regards, Salvatore
