Re: Sarge backports security updates
On Tue, Jun 26, 2007 at 09:26:12AM +0200, Alexander Wirt wrote:
> Dominic Hargreaves schrieb am Montag, den 25. Juni 2007:
> Hi Dominic,
> > From past messages, I understand that sarge-backports is frozen. I
> > wanted to check what, if anything, I should be doing about security
> > updates in packages I've backported to sarge-backports in the past.
> > (Case in point: lighttpd).
> Its just frozen "in mind", but not technically. You are still able to upload,
> so I would be happy if you would do the security update for lighttpd.
Okay, uploaded now.
> If you
> provide me with some details I would be able to create a news item for the
Lifted mostly from the DSA, thanks to Steve Kemp:
Package : lighttpd
Vulnerability : denial of service
Problem-Type : local & remote
CVE ID : CVE-2007-1870 CVE-2007-1869
Two problems were discovered with lighttpd, a fast webserver with
minimal memory footprint, which could allow denial of service.
The Common Vulnerabilities and Exposures project identifies the
Remote attackers could cause denial of service by disconnecting
partway through making a request.
A NULL pointer dereference could cause a crash when serving files
with a mtime of 0.
These issues have been fixed in the 1.4.13-10~bpo.2 packages in
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)