Bug#926885: marked as done (lighttpd: CVE-2019-11072)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 17 Apr 2019 14:33:59 +0000
with message-id <E1hGldP-000G9M-DM@fasolo.debian.org>
and subject line Bug#926885: fixed in lighttpd 1.4.53-4
has caused the Debian Bug report #926885,
regarding lighttpd: CVE-2019-11072
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926885
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: lighttpd: CVE-2019-11072
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 11 Apr 2019 21:20:54 +0200
• Message-id: <[🔎] 155501045407.3040.18417090096789142211.reportbug@eldamar.local>

Source: lighttpd
Version: 1.4.53-3
Severity: grave
Tags: security upstream
Forwarded: https://redmine.lighttpd.net/issues/2945

Hi,

The following vulnerability was published for lighttpd.

CVE-2019-11072[0]:
| lighttpd before 1.4.54 has a signed integer overflow, which might
| allow remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a malicious HTTP
| GET request, as demonstrated by mishandling of /%2F? in
| burl_normalize_2F_to_slash_fix in burl.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11072
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11072
[1] https://redmine.lighttpd.net/issues/2945
[2] https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 926885-close@bugs.debian.org
• Subject: Bug#926885: fixed in lighttpd 1.4.53-4
• From: Glenn Strauss <gstrauss@gluelogic.com>
• Date: Wed, 17 Apr 2019 14:33:59 +0000
• Message-id: <E1hGldP-000G9M-DM@fasolo.debian.org>

Source: lighttpd
Source-Version: 1.4.53-4

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926885@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Glenn Strauss <gstrauss@gluelogic.com> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Apr 2019 00:00:00 -0400
Source: lighttpd
Architecture: source
Version: 1.4.53-4
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Glenn Strauss <gstrauss@gluelogic.com>
Closes: 926885
Changes:
 lighttpd (1.4.53-4) unstable; urgency=high
 .
   * QA upload.
   * fix mixed use of srv->split_vals array (regression)
   * mod_magnet:fix invalid script return-type crash
   * fix assertion with server.error-handler
   * mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures
   * fix abort in server.http-parseopts with url-path-2f-decode enabled
     CVE-2019-11072 (closes: #926885)
Checksums-Sha1:
 b609f87fcac5281e0dea93b72ba74b9db2fe0a24 3879 lighttpd_1.4.53-4.dsc
 b79ba0fa89ad031f0fe979a2bd6d0667390459b7 44060 lighttpd_1.4.53-4.debian.tar.xz
 5b34212f522882d440645fc8636cd8d68265e282 16638 lighttpd_1.4.53-4_amd64.buildinfo
Checksums-Sha256:
 d496e9a6879a70451402d8a19f0396e781dc00fc902c9bf0b567c6c8b6b63257 3879 lighttpd_1.4.53-4.dsc
 b11b1ff4831671cc67da207009d5cb9dac71fea5b17ac10144a980cb5903dcc4 44060 lighttpd_1.4.53-4.debian.tar.xz
 c70fdd421bf1240ca925390e01c9cd14a4c121dfab3d4c6a215175fabdcb1eb0 16638 lighttpd_1.4.53-4_amd64.buildinfo
Files:
 f0d901e9c6b3d9ab91179b4d54567aa4 3879 httpd optional lighttpd_1.4.53-4.dsc
 f0b909359a42999d57044af80513cc39 44060 httpd optional lighttpd_1.4.53-4.debian.tar.xz
 ebed16c45ec61b788fb19f1696944831 16638 httpd optional lighttpd_1.4.53-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAly3KT8ACgkQLRqqzyRE
REKqlQ//URCooawWK1Z5e1/RRYLF8DBPyahxrI2DEJG83Xp9ikdVy1+0KAGfdTOC
yOJY9trdRuek7liGr4mKu+fIeF4Mj12eoz9QV6678A4VuegdgRiPWGbWN6Nc3xlV
jP2Z9j+RVBXU59v3SdAYTDeUBindqk7P5qGl8YtLS0Asub4cGVX1MmmI2sv/Lk/A
ihdQvXFeaN8VnbF/0Um5cnzEL3gh+Z/oEo6YnGxn6FVUG/ZJ6vFAvUwkLOuIIvkO
Qh4JeJ5c0ujJHYa6b7zQIRobQBsUVWh3K6AZ6plVqE10YdSt+3yG2/Cgmc5YfqdC
MVmzkGe6UdNKHua09YEFkSbmIynfHIVwUJytylv0pryl4TTKv1ZKnJeO5a9Mw9Vq
UuffUZEwLwtwnevYyu8ycp7IVip7lor04JmQFUa6vqpW2MdS9OEEeRtRDWjWlGdM
yAhMKHvz2PAMUROnpztgLHDvtSHv8WYsCuo5dk92FCq9amgG3gwtvsxvhPGge9k3
owIhbeblxtopj8geyQtk0G714+Olrpq77ZjlszE1HHATH2hMIziXPy6haieJxZ3Q
uJnpmRW1AX4ovWM4g2jxo0K0wyyflMG4YMX0jken0XTiA+pkF+QQQPlEAm+i32nf
Pt5cQxrt/m5+ncC8iZ/beTPdNPYQWXM3/Yt1zDP77pY9GuUaWZk=
=ZGri
-----END PGP SIGNATURE-----

--- End Message ---