238180 2008-09-20 13:57 0000 www-servers/lighttpd < 1.4.20 multiple issues (DoS, information disclosure) (CVE-2008-{4298,4359,4360}) 2008-12-02 17:50:18 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://trac.lighttpd.net/trac/ticket/1774 B3 [glsa] P2 minor --- 1 hoffie@gentoo.org security@gentoo.org arm@gentoo.org craig@gentoo.org sh@gentoo.org www-servers@gentoo.org hoffie@gentoo.org 2008-09-20 13:57:26 0000 lighttpd can be forced to leak memory by sending lots requests with duplicate request headers. Patch is available from the ticket and will be in the VCS in some minutes, lighty-1.4.20, which should include the patch, is supposed to be released in the near future. By some testing it looks like it takes some time to get lighty use a dangerous amount of memory, but nevertheless it's an issue. I'll handle bumping/patching. hoffie@gentoo.org 2008-09-26 20:10:55 0000 JFI: CVE request has been sent by lighty upstream to coley directly some days ago already and by bressers from Redhat @ oss-sec as well. rbu@gentoo.org 2008-09-29 14:58:26 0000 CVE-2008-4298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4298): Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. hoffie@gentoo.org 2008-09-30 15:13:03 0000 www-servers: Apologies for not CC'ing you, I seem to have missed this. 1.4.20 has been released and I just added it to the tree. It fixes two other security problems. The first (mod_userdir-related) does not affect us, as we tracked this in bug 213164. The second is: (Quoting my mail to oss-sec) > * Unexpected behavior of url.redirect / url.rewrite config options > > While this is not a security issue in lighttpd, the user might > rely on the fact, that those options are suppoosed to be matched > against the urldecoded version of the URL. Depending on the > configuration, this would allow for unwanted access to certain > resources (information disclosure or even manipulation of data) > References: [1] [2] Two more references to the memory leak issue are at [5] and [6]. Arches, please test and mark stable: =www-servers/lighttpd-1.4.20 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~mips ~sparc-fbsd ~x86-fbsd Already stable: amd64 To stable: alpha arm hppa ia64 ppc ppc64 sh sparc x86 Short note: FEATURES=test seems to be broken here (not only in .20), I'll try to work on either fixing or restricting (preferably the former). Testing can be done just by running it through the init script and browsing some files (or maybe even setting up a webapp). [1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt [2] http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch [5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt [6] http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch keytoaster@gentoo.org 2008-09-30 16:43:24 0000 Actually adding arches. hoffie@gentoo.org 2008-09-30 18:54:19 0000 From oss-sec: >> * Unexpected behavior of url.redirect / url.rewrite config options > Use CVE-2008-4359, to be filled in later. >> * Information disclosure w/ mod_userdir on case-insensitive file >> systems > Use CVE-2008-4360, to be filled in later. (And thanks for fixing my arch CC'ing mess-up, keytoaster ;)) fmccor@gentoo.org 2008-09-30 19:42:27 0000 Sparc stable. jer@gentoo.org 2008-09-30 20:01:51 0000 Stable for HPPA. armin76@gentoo.org 2008-10-01 09:18:49 0000 alpha/ia64/x86 stable corsair@gentoo.org 2008-10-01 10:21:02 0000 ppc64 stable dertobi123@gentoo.org 2008-10-01 17:39:41 0000 ppc stable keytoaster@gentoo.org 2008-10-01 21:22:09 0000 Ready for vote, I vote YES. craig@gentoo.org 2008-10-04 15:45:44 0000 *** Bug 239552 has been marked as a duplicate of this bug. *** rbu@gentoo.org 2008-11-26 18:42:10 0000 Voting YES, request filed. rbu@gentoo.org 2008-12-02 17:50:18 0000 GLSA 200812-04