[Bug 107628] Re: DoS-vulnerability in lighttpd
** Changed in: lighttpd (Ubuntu) Status: Confirmed = Fix Released -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
dapper-proposed update uploaded. ** Tags added: verification-motu-needed -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 107628] Re: DoS-vulnerability in lighttpd
Hi Scott, Scott Kitterman [2007-05-03 11:52 -]: That update: https://launchpad.net/ubuntu/dapper/+source/lighttpd/1.4.11-3ubuntu3.1 has been sitting in dapper-proposed since last November and lacks the fix for this issue. So the existing -proposed package has the vulnerability. The upload you rejected was meant to replace it by fixing the vulnerability. Ah, I'm terribly sorry. Can you please upload it again then? Thanks, Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
I've attached the dapper-proposed debdiff with the maintainer change removed to be uploaded again. ** Attachment added: Dapper-proposed Fix http://librarian.launchpad.net/7550426/lighttpd-dapper-proposed.debdiff ** Attachment removed: Dapper-proposed debdiff http://librarian.launchpad.net/7352496/dapper-proposed- lighthttpd.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
** Changed in: lighttpd (Ubuntu) Status: Confirmed = Fix Released -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
** Changed in: lighttpd (Ubuntu) Status: Fix Released = Confirmed -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
This time with the mention of the maintainer change removed from the changelog ** Attachment added: Updated patch for dapper-proposed http://librarian.launchpad.net/7556605/fixed-sru-security.debdiff ** Attachment removed: Dapper-proposed Fix http://librarian.launchpad.net/7550426/lighttpd-dapper- proposed.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Scott, I don't understand -- If the -proposed package has the same vulnerability fix, then it doesn't matter. If it fixes something different, then it should not be treated in this bug report. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Martin, Scott's debdiff for a new dapper-proposed source upload contains the fix in the dapper-security upload. The current dapper-proposed source does /not/ contain this fix. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
The problem is that when this was reported, there was an updated for Dapper sitting in dapper-proposed: https://launchpad.net/ubuntu/dapper/+source/lighttpd That update: https://launchpad.net/ubuntu/dapper/+source/lighttpd/1.4.11-3ubuntu3.1 has been sitting in dapper-proposed since last November and lacks the fix for this issue. So the existing -proposed package has the vulnerability. The upload you rejected was meant to replace it by fixing the vulnerability. As it stands right now, should 1.4.11-3ubuntu3.1 ever finish SRU testing and be released, it would re-introduce this vulnerability. The intent of the 1.4.11-3ubuntu3.2 upload was to ensure (in advance) that this would not happen. Sorry I wasn't clear before (hope I am now). -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Just for the record, I rejected the dapper-proposed upload because the fix is already in -security. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 107628] Re: DoS-vulnerability in lighttpd
Then that leaves us with a higher version numbered package in dapper-proposed that is unpatched. If that SRU ever gets released we'll re-introduce the vulnerability. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Package released to dapper-security. Thank you! ** Changed in: lighttpd (Ubuntu Dapper) Status: Fix Committed = Fix Released -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Updated packages released to -security. Thank you! ** Changed in: lighttpd (Ubuntu Edgy) Status: Fix Committed = Fix Released -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Updated patch for Edgy using the patch system. Pbuilt and verified in the pbuilder log that the patches were applied. I can probide i386 binaries for testing if requested. ** Changed in: lighttpd (Ubuntu) Assignee: Fridtjof Busse = Scott Kitterman ** Attachment added: Edgy fix with dpatch http://librarian.launchpad.net/7398885/lighttpd-edgy-security.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Dapper fix with dpatch. Version number is due to the .1 already in dapper proposed. ** Attachment added: Dapper-security fix with dpatch http://librarian.launchpad.net/7399483/lighttpd-dapper-security.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Dapper-proposed fix with dpatch attached. ** Attachment added: Fix for dapper-proposed http://librarian.launchpad.net/7399547/lighttpd-dapper-proposed.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Also subscribing MOTU SRU because the fix impacts dapper-proposed. ** Changed in: lighttpd (Ubuntu) Assignee: Scott Kitterman = (unassigned) Status: In Progress = Confirmed -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Show state in Feisty (fixed already), Edgy, and Dapper. Also linking to CVE. ** Changed in: lighttpd (Ubuntu Feisty) Status: Unconfirmed = Rejected ** Changed in: lighttpd (Ubuntu Edgy) Assignee: (unassigned) = Kees Cook Status: Unconfirmed = Fix Committed ** Changed in: lighttpd (Ubuntu Dapper) Assignee: (unassigned) = Kees Cook Status: Unconfirmed = Fix Committed ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-1870 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-1869 -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
+1 for new dapper-proposed. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Works and builds fine on dapper i386 (patch applied by hand). -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Thanks for taking the time to report this bug and helping to make Ubuntu better. If someone can prepare (and test) the fixes and attach debdiffs that follow the [https://wiki.ubuntu.com/SecurityUpdateProcedures], I'd be more than happy to get them uploaded. ** Visibility changed to: Public ** Changed in: lighttpd (Ubuntu) Importance: Undecided = Medium Status: Unconfirmed = Confirmed -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
I'll take a stab at it. ** Changed in: lighttpd (Ubuntu) Assignee: (unassigned) = Scott Kitterman Status: Confirmed = In Progress -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
The relevant patches are already in the Feisty version, so no issue there. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
For the initial reporter, what version of Ubuntu are you running? I'll prepare a package for that one first so you can test it. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Running feisty as of couple of minutes ago. The changelog on packages.ubuntu.com was outdated, thus I missed the fixed package. But I can test on edgy/dapper nonetheless, I have plenty of virtual machines around. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
OK. I can make i386 binaries or give you a source patch. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
This is going to take a while because the Ubuntu repositories are totally hammered by the Feisty release. -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Debdiff for Edgy for testing. ** Attachment added: Edgy fix debdiff http://librarian.launchpad.net/7351791/lighttpd-edgy.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Dapper debdiff for testing. Note that only one of the two isses was relevant to this version. ** Attachment added: Dapper fix debdiff http://librarian.launchpad.net/7352259/dapper-httpd.patch -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Dapper-proposed debdiff for testing. Note that only one of the two isses was relevant to this version. ** Attachment added: Dapper-proposed debdiff http://librarian.launchpad.net/7352496/dapper-proposed-lighthttpd.debdiff -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 107628] Re: DoS-vulnerability in lighttpd
Here are the source changes for all the supported releases. If you need me to build binaries for you (I can do -i386), let me know. Otherwise, please test these and then let us know how it goes. ** Changed in: lighttpd (Ubuntu) Assignee: Scott Kitterman = Fridtjof Busse -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 107628] Re: DoS-vulnerability in lighttpd
On Thu, Apr 19, 2007 at 06:48:33PM -, Scott Kitterman wrote: Debdiff for Edgy for testing. Hi Scott, Thanks very much for getting the patches extracted. The lighttpd package, however, uses the dpatch patch system. Instead of applying the fixes inline, please use dpatch-edit-patch. For more details on patching packages with different patch mechanisms, see pitti's excellent write up: https://wiki.ubuntu.com/MOTU/School/PatchingSources -- Kees Cook -- DoS-vulnerability in lighttpd https://bugs.launchpad.net/bugs/107628 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs