Summary: | www-servers/lighttpd <1.4.18-r2 mod_cgi vulnerability (CVE-2008-1111) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Johan Bergström <bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hoffie, www-servers+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://trac.lighttpd.net/trac/changeset/2107 | ||
Whiteboard: | C3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Johan Bergström
2008-03-01 11:22:45 UTC
As far as I see, our default config is not vulnerable. We are shipping a default config for mod_cgi (mod_cgi.conf) but we are not including it in lighttpd.conf (and that's what matters). CC'ing maintainers. hoffie: you are right. out of the box lighttpd is not affected (AFAICT). the mod_cgi module is only loaded, if mod_cgi.conf is included (it's not by default). the patch is now included in lighttpd-1.4.18-r2. security: do your thing :) thanks Rating as C4 since the default configuration is not affected. Arches, please stabilize www-servers/lighttpd-1.4.18-r2, target KEYWORDS are "alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd". Test fails badly...anyone else? sure - they have been failing for some time. sorry for not pointing that out. (In reply to comment #4) > Test fails badly...anyone else? > With what use-flags? File/password disclosure would be 3. (In reply to comment #4) > Test fails badly...anyone else? All tests passed and www-apps/mantisbt works fine with lighttpd on amd64. USE="bzip2 fam fastcgi gdbm ipv6 ldap memcache pcre php rrdtool ssl test webdav xattr -doc -lua -minimal -mysql" (In reply to comment #6) > (In reply to comment #4) > > Test fails badly...anyone else? > > > > With what use-flags? USE=*, USE=-* and USE=<profile>, that's what I usually test. Tests differ depending on USE flags. ppc64 stable mips already done. Stable for HPPA. alpha/ia64/sparc/x86 stable amd64 stable. And no tests fail here with different USE flags... ppc stable Fixed in release snapshot. GLSA 200803-10 |