Re: Sarge backports security updates

[Dominic Hargreaves <dom@earth.li>]

On Tue, Jun 26, 2007 at 09:26:12AM +0200, Alexander Wirt wrote:
> Dominic Hargreaves schrieb am Montag, den 25. Juni 2007:
>  
> Hi Dominic, 
> 
> > From past messages, I understand that sarge-backports is frozen. I
> > wanted to check what, if anything, I should be doing about security
> > updates in packages I've backported to sarge-backports in the past.
> > (Case in point: lighttpd).
> Its just frozen "in mind", but not technically. You are still able to upload,
> so I would be happy if you would do the security update for lighttpd.

Okay, uploaded now.

> If you
> provide me with some details I would be able to create a news item for the
> frontpage. 

Lifted mostly from the DSA, thanks to Steve Kemp:

Package        : lighttpd
Vulnerability  : denial of service
Problem-Type   : local & remote
Debian-specific: no
CVE ID         : CVE-2007-1870 CVE-2007-1869

Two problems were discovered with lighttpd, a fast webserver with
minimal memory footprint, which could allow denial of service.
The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2007-1869

  Remote attackers could cause denial of service by disconnecting
  partway through making a request.

CVE-2007-1870

  A NULL pointer dereference could cause a crash when serving files
  with a mtime of 0.

These issues have been fixed in the 1.4.13-10~bpo.2 packages in
sarge-backports.

Cheers,

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)