| Summary: | www-servers/lighttpd < 1.4.20 multiple issues (DoS, information disclosure) (CVE-2008-{4298,4359,4360}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | craig, www-servers+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://trac.lighttpd.net/trac/ticket/1774 | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Christian Hoffmann (RETIRED)
2008-09-20 13:57:26 UTC
JFI: CVE request has been sent by lighty upstream to coley directly some days ago already and by bressers from Redhat @ oss-sec as well. CVE-2008-4298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4298): Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. www-servers: Apologies for not CC'ing you, I seem to have missed this. 1.4.20 has been released and I just added it to the tree. It fixes two other security problems. The first (mod_userdir-related) does not affect us, as we tracked this in bug 213164. The second is: (Quoting my mail to oss-sec) > * Unexpected behavior of url.redirect / url.rewrite config options > > While this is not a security issue in lighttpd, the user might > rely on the fact, that those options are suppoosed to be matched > against the urldecoded version of the URL. Depending on the > configuration, this would allow for unwanted access to certain > resources (information disclosure or even manipulation of data) > References: [1] [2] Two more references to the memory leak issue are at [5] and [6]. Arches, please test and mark stable: =www-servers/lighttpd-1.4.20 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~mips ~sparc-fbsd ~x86-fbsd Already stable: amd64 To stable: alpha arm hppa ia64 ppc ppc64 sh sparc x86 Short note: FEATURES=test seems to be broken here (not only in .20), I'll try to work on either fixing or restricting (preferably the former). Testing can be done just by running it through the init script and browsing some files (or maybe even setting up a webapp). [1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt [2] http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch [5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt [6] http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch Actually adding arches. From oss-sec: >> * Unexpected behavior of url.redirect / url.rewrite config options > Use CVE-2008-4359, to be filled in later. >> * Information disclosure w/ mod_userdir on case-insensitive file >> systems > Use CVE-2008-4360, to be filled in later. (And thanks for fixing my arch CC'ing mess-up, keytoaster ;)) Sparc stable. Stable for HPPA. alpha/ia64/x86 stable ppc64 stable ppc stable Ready for vote, I vote YES. *** Bug 239552 has been marked as a duplicate of this bug. *** Voting YES, request filed. GLSA 200812-04 |
