Bug#422254: [pkg-lighttpd] Bug#422254: lighttpd: Security vulnerabilities in Etch version

2007-06-14 Thread Krzysztof Krzyżaniak 

Mind Booster Noori wrote:

Package: lighttpd
Followup-For: Bug #422254


As a matter of fact, these two lighttpd 1.4.13 bugs were fixed in
1.4.14, but that patches added one bug, that was fixed in lighttpd
1.4.15. Since 1.4.15 is already in testing, that release closes this
bug. This bug should be closed as a duplicate of bug #419131, which was
closed with the upload of 1.4.15. Also, 1.4.15-1 should migrate to etch.


Last thing is not possible, etch will always have 1.4.13.

  eloy
--
[EMAIL PROTECTED]

   jak to dobrze, że są oceany - bez nich byłoby jeszcze smutniej

Bug#422254: lighttpd: Security vulnerabilities in Etch version

2007-06-13 Thread Mind Booster Noori 
Package: lighttpd
Followup-For: Bug #422254


As a matter of fact, these two lighttpd 1.4.13 bugs were fixed in
1.4.14, but that patches added one bug, that was fixed in lighttpd
1.4.15. Since 1.4.15 is already in testing, that release closes this
bug. This bug should be closed as a duplicate of bug #419131, which was
closed with the upload of 1.4.15. Also, 1.4.15-1 should migrate to etch.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#422254: lighttpd: Security vulnerabilities in Etch version

2007-05-04 Thread Jon Vaughan 
Package: lighttpd
Version: 1.4.13-4
Severity: critical
Tags: security patch
Justification: root security hole

1.4.13-4 in etch has two security flaws: 
CVE-2007-1870
CVE-2007-1869

I include a patch against the debian source of 1.4.13-4 with
http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_crlf_parsing_dos.patch
and
http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_zero_mtime_crash.patch
applied.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.7-linode30
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages lighttpd depends on:
ii  libattr12.4.32-1 Extended attribute shared library
ii  libbz2-1.0  1.0.3-6  high-quality block-sorting file co
ii  libc6   2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libldap22.1.30-13.3  OpenLDAP libraries
ii  libpcre36.7-1Perl 5 Compatible Regular Expressi
ii  libssl0.9.8 0.9.8c-4 SSL shared libraries
ii  lsb-base3.1-23.1 Linux Standard Base 3.1 init scrip
ii  mime-support3.39-1   MIME files 'mime.types'  'mailcap
ii  zlib1g  1:1.2.3-13   compression library - runtime

Versions of packages lighttpd recommends:
pn  php4-cgi | php5-cgi   none (no description available)

-- no debconf information
diff -ur lighttpd-1.4.13.deborig/src/connections.c lighttpd-1.4.13/src/connections.c
--- lighttpd-1.4.13.deborig/src/connections.c	2006-10-07 17:44:43.0 +
+++ lighttpd-1.4.13/src/connections.c	2007-04-27 18:55:17.0 +
@@ -970,7 +970,7 @@
 }
 			} else {
 /* a splited \r \n */
-return -1;
+break;
 			}
 		}
 	}
diff -ur lighttpd-1.4.13.deborig/src/server.c lighttpd-1.4.13/src/server.c
--- lighttpd-1.4.13.deborig/src/server.c	2006-10-04 13:30:52.0 +
+++ lighttpd-1.4.13/src/server.c	2007-04-27 18:55:27.0 +
@@ -163,6 +163,7 @@
 #undef CLEAN
 
 	for (i = 0; i  FILE_CACHE_MAX; i++) {
+		srv-mtime_cache[i].mtime = (time_t)-1;
 		srv-mtime_cache[i].str = buffer_init();
 	}