Ubuntu
lighttpd package

Lighttpd in repository is outdated (security!)

Bug #119727 reported by PowerUser on 2007-06-10

256

Affects		Status	Importance	Assigned to	Milestone
	lighttpd (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: lighttpd

I'm running Kubuntu 7.04 for AMD64.

Lighttp 1.4.15 is out, it fixes possible DoS attack on server.Please update repository since this affects security\stability.Right now there is 1.4.13 which is vulnerable to DoS attack.See lighttpd.net for more details.

Tags:

Revision history for this message

Lionel Porcheron (lionel.porcheron) wrote on 2007-06-10:

Thanks for you bug reports. The two security fixes have already been applied in our repository before the release. It is described in the changelog:

lighttpd (1.4.13-9ubuntu4) feisty; urgency=low

  * Added LDAP connection leak fix from Debian (Bug: #413917)
    - debian/patches/03_ldap_leak_bugfix.dpatch
  * Added security fixes from 1.4.14 (Closes LP: #106416)
    - Remote DOS in CRLF parsing (CVE-2007-1869)
       debian/patches/04_security_crlf_parsing_dos.dpatch
    - DOS with files with mtime 0 (CVE-2007-1870)
       debian/patches/05_security_zero_mtime_crash.dpatch

-- Lukas Fittl <email address hidden> Sat, 14 Apr 2007 05:26:10 +0200

Changed in lighttpd:
status:	Unconfirmed → Rejected

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulighttpd package

Lighttpd in repository is outdated (security!)

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
lighttpd package