Bug#422254: [pkg-lighttpd] Bug#422254: lighttpd: Security vulnerabilities in Etch version
Mind Booster Noori wrote: Package: lighttpd Followup-For: Bug #422254 As a matter of fact, these two lighttpd 1.4.13 bugs were fixed in 1.4.14, but that patches added one bug, that was fixed in lighttpd 1.4.15. Since 1.4.15 is already in testing, that release closes this bug. This bug should be closed as a duplicate of bug #419131, which was closed with the upload of 1.4.15. Also, 1.4.15-1 should migrate to etch. Last thing is not possible, etch will always have 1.4.13. eloy -- [EMAIL PROTECTED] jak to dobrze, że są oceany - bez nich byłoby jeszcze smutniej
Bug#422254: lighttpd: Security vulnerabilities in Etch version
Package: lighttpd Followup-For: Bug #422254 As a matter of fact, these two lighttpd 1.4.13 bugs were fixed in 1.4.14, but that patches added one bug, that was fixed in lighttpd 1.4.15. Since 1.4.15 is already in testing, that release closes this bug. This bug should be closed as a duplicate of bug #419131, which was closed with the upload of 1.4.15. Also, 1.4.15-1 should migrate to etch. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#422254: lighttpd: Security vulnerabilities in Etch version
Package: lighttpd Version: 1.4.13-4 Severity: critical Tags: security patch Justification: root security hole 1.4.13-4 in etch has two security flaws: CVE-2007-1870 CVE-2007-1869 I include a patch against the debian source of 1.4.13-4 with http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_crlf_parsing_dos.patch and http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_zero_mtime_crash.patch applied. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.20.7-linode30 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages lighttpd depends on: ii libattr12.4.32-1 Extended attribute shared library ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libldap22.1.30-13.3 OpenLDAP libraries ii libpcre36.7-1Perl 5 Compatible Regular Expressi ii libssl0.9.8 0.9.8c-4 SSL shared libraries ii lsb-base3.1-23.1 Linux Standard Base 3.1 init scrip ii mime-support3.39-1 MIME files 'mime.types' 'mailcap ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages lighttpd recommends: pn php4-cgi | php5-cgi none (no description available) -- no debconf information diff -ur lighttpd-1.4.13.deborig/src/connections.c lighttpd-1.4.13/src/connections.c --- lighttpd-1.4.13.deborig/src/connections.c 2006-10-07 17:44:43.0 + +++ lighttpd-1.4.13/src/connections.c 2007-04-27 18:55:17.0 + @@ -970,7 +970,7 @@ } } else { /* a splited \r \n */ -return -1; +break; } } } diff -ur lighttpd-1.4.13.deborig/src/server.c lighttpd-1.4.13/src/server.c --- lighttpd-1.4.13.deborig/src/server.c 2006-10-04 13:30:52.0 + +++ lighttpd-1.4.13/src/server.c 2007-04-27 18:55:27.0 + @@ -163,6 +163,7 @@ #undef CLEAN for (i = 0; i FILE_CACHE_MAX; i++) { + srv-mtime_cache[i].mtime = (time_t)-1; srv-mtime_cache[i].str = buffer_init(); }