When mod_cgi running onlighttpd is unable to fork anymore (for instance if ulimit is reached) lighty sends the full source of the cgi script. This is rather serious and affects all users of mod_cgi. The patch (found at lighttpd's subversion repository) returns a 500 response instead. Reproducible: Always
As far as I see, our default config is not vulnerable. We are shipping a default config for mod_cgi (mod_cgi.conf) but we are not including it in lighttpd.conf (and that's what matters). CC'ing maintainers.
hoffie: you are right. out of the box lighttpd is not affected (AFAICT). the mod_cgi module is only loaded, if mod_cgi.conf is included (it's not by default). the patch is now included in lighttpd-1.4.18-r2. security: do your thing :) thanks
Rating as C4 since the default configuration is not affected. Arches, please stabilize www-servers/lighttpd-1.4.18-r2, target KEYWORDS are "alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd".
Test fails badly...anyone else?
sure - they have been failing for some time. sorry for not pointing that out.
(In reply to comment #4) > Test fails badly...anyone else? > With what use-flags?
File/password disclosure would be 3.
(In reply to comment #4) > Test fails badly...anyone else? All tests passed and www-apps/mantisbt works fine with lighttpd on amd64. USE="bzip2 fam fastcgi gdbm ipv6 ldap memcache pcre php rrdtool ssl test webdav xattr -doc -lua -minimal -mysql"
(In reply to comment #6) > (In reply to comment #4) > > Test fails badly...anyone else? > > > > With what use-flags? USE=*, USE=-* and USE=<profile>, that's what I usually test. Tests differ depending on USE flags.
ppc64 stable
mips already done.
Stable for HPPA.
alpha/ia64/sparc/x86 stable
amd64 stable. And no tests fail here with different USE flags...
ppc stable
Fixed in release snapshot.
GLSA 200803-10