FS#37765 - [lighttpd] security patches for 3 CVE
Attached to Project:
Arch Linux
Opened by RbN (RbN) - Thursday, 14 November 2013, 19:34 GMT
Last edited by Pierre Schmitz (Pierre) - Friday, 15 November 2013, 09:45 GMT
Opened by RbN (RbN) - Thursday, 14 November 2013, 19:34 GMT
Last edited by Pierre Schmitz (Pierre) - Friday, 15 November 2013, 09:45 GMT
|
Details
Description:
[0] CVE-2013-4559 : Privilege escalation from lighttpd user [1] CVE-2013-4560 : Use after free if FAMMonitorDirectory fails leading to DOS [2] CVE-2013-4508 : Default SNI configuration is weak Resolution : patches from upstream: [3] [4] [5] Ressources: [0] http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt [1] http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt [2] http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt [3] http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_setuid.patch [4] http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_fam_use_after_free.patch [5] http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_ssl_sni.patch |
This task depends upon
[1] Does not apply to 1.4.33, and Arch doesn't even use FAM in lighttpd.
I'd hope that for a fix as large as [2], upstream would simply do a new release... Have you looked into the release schedule for (I suppose) 1.4.34?
AFAIK, they will release a 1.4.34 soon, but i don't know when exactly.
As it is really easy to add these patches, I prefer being safe than sorry here and just pushed a new package. I also included the FAM patch for those who compile from source.
It is unfortunate that there is no upstream announcement an no talk about a new release.