Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 211956
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Johan Bergström <bugs@bergstroem.nu>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 211956 depends on: Show dependency tree
Bug 211956 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-01 11:22 0000 
When mod_cgi running onlighttpd is unable to fork anymore (for instance if
ulimit is reached) lighty sends the full source of the cgi script. This is
rather serious and affects all users of mod_cgi. The patch (found at lighttpd's
subversion repository) returns a 500 response instead.


Reproducible: Always

------- Comment #1 From Christian Hoffmann 2008-03-01 11:30:11 0000 ------- 
As far as I see, our default config is not vulnerable. We are shipping a
default config for mod_cgi (mod_cgi.conf) but we are not including it in
lighttpd.conf (and that's what matters).

CC'ing maintainers.

------- Comment #2 From Thilo Bangert 2008-03-01 17:43:39 0000 ------- 
hoffie: you are right. out of the box lighttpd is not affected (AFAICT). the
mod_cgi module is only loaded, if mod_cgi.conf is included (it's not by
default).

the patch is now included in lighttpd-1.4.18-r2.
security: do your thing :) thanks

------- Comment #3 From Tobias Heinlein 2008-03-01 20:19:44 0000 ------- 
Rating as C4 since the default configuration is not affected. Arches, please
stabilize www-servers/lighttpd-1.4.18-r2, target KEYWORDS are "alpha amd64 arm
hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd".

------- Comment #4 From Christian Faulhammer 2008-03-01 23:31:38 0000 ------- 
Test fails badly...anyone else?

------- Comment #5 From Thilo Bangert 2008-03-02 11:01:17 0000 ------- 
sure - they have been failing for some time. sorry for not pointing that out.

------- Comment #6 From Raúl Porcel 2008-03-02 11:22:10 0000 ------- 
(In reply to comment #4)
> Test fails badly...anyone else?
> 

With what use-flags?

------- Comment #7 From Robert Buchholz 2008-03-02 11:29:13 0000 ------- 
File/password disclosure would be 3.

------- Comment #8 From Peter Volkov 2008-03-02 16:00:50 0000 ------- 
(In reply to comment #4)
> Test fails badly...anyone else?

All tests passed and www-apps/mantisbt works fine with lighttpd on amd64.

USE="bzip2 fam fastcgi gdbm ipv6 ldap memcache pcre php rrdtool ssl test webdav
xattr -doc -lua -minimal -mysql"

------- Comment #9 From Christian Faulhammer 2008-03-02 17:48:26 0000 ------- 
(In reply to comment #6)
> (In reply to comment #4)
> > Test fails badly...anyone else?
> > 
> 
> With what use-flags?

USE=*, USE=-* and USE=<profile>, that's what I usually test.  Tests differ
depending on USE flags.

------- Comment #10 From Markus Rothe 2008-03-02 20:46:31 0000 ------- 
ppc64 stable

------- Comment #11 From Ryan Hill 2008-03-02 21:53:12 0000 ------- 
mips already done.

------- Comment #12 From Jeroen Roovers 2008-03-03 01:56:18 0000 ------- 
Stable for HPPA.

------- Comment #13 From Raúl Porcel 2008-03-03 10:41:41 0000 ------- 
alpha/ia64/sparc/x86 stable

------- Comment #14 From Peter Volkov 2008-03-03 19:03:57 0000 ------- 
amd64 stable. And no tests fail here with different USE flags...

------- Comment #15 From Tobias Scherbaum 2008-03-04 18:50:51 0000 ------- 
ppc stable

------- Comment #16 From Peter Volkov 2008-03-05 06:45:47 0000 ------- 
Fixed in release snapshot.

------- Comment #17 From Pierre-Yves Rofes 2008-03-05 21:44:03 0000 ------- 
GLSA 200803-10
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug