Re: Sarge backports security updates
On Tue, Jun 26, 2007 at 09:26:12AM +0200, Alexander Wirt wrote:
> Dominic Hargreaves schrieb am Montag, den 25. Juni 2007:
>
> Hi Dominic,
>
> > From past messages, I understand that sarge-backports is frozen. I
> > wanted to check what, if anything, I should be doing about security
> > updates in packages I've backported to sarge-backports in the past.
> > (Case in point: lighttpd).
> Its just frozen "in mind", but not technically. You are still able to upload,
> so I would be happy if you would do the security update for lighttpd.
Okay, uploaded now.
> If you
> provide me with some details I would be able to create a news item for the
> frontpage.
Lifted mostly from the DSA, thanks to Steve Kemp:
Package : lighttpd
Vulnerability : denial of service
Problem-Type : local & remote
Debian-specific: no
CVE ID : CVE-2007-1870 CVE-2007-1869
Two problems were discovered with lighttpd, a fast webserver with
minimal memory footprint, which could allow denial of service.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-1869
Remote attackers could cause denial of service by disconnecting
partway through making a request.
CVE-2007-1870
A NULL pointer dereference could cause a crash when serving files
with a mtime of 0.
These issues have been fixed in the 1.4.13-10~bpo.2 packages in
sarge-backports.
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: