Ubuntu
lighttpd package

[CVE-2008-1111] Failure to Handle Exceptional Conditions

Bug #198731 reported by Stephan Rügamer
258
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Fix Released
Medium
Stephan Rügamer
Dapper
Fix Released
Medium
Emanuele Gentili
Edgy
Fix Released
Medium
Emanuele Gentili
Feisty
Fix Released
Medium
Emanuele Gentili
Gutsy
Fix Released
Medium
Emanuele Gentili
Hardy
Fix Released
Medium
Stephan Rügamer

Bug Description

Binary package hint: lighttpd

mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source code of CGI scripts instead of a 500 error, which might allow remote attackers to obtain sensitive information.

Fixes are found at: http://trac.lighttpd.net/trac/changeset/2107

Stephan Rügamer (sruegamer)
Changed in lighttpd:
assignee: nobody → shermann
status: New → Confirmed
Emanuele Gentili (emgent)
Changed in lighttpd:
assignee: nobody → emgent
assignee: nobody → emgent
assignee: nobody → emgent
assignee: nobody → emgent
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

lighttpd (1.4.18-1ubuntu5) hardy; urgency=low

  * debian/patches/90-CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source
      code of CGI scripts instead of a 500 error, which might allow remote attackers
      to obtain sensitive information."
      Upstream Patch: http://trac.lighttpd.net/trac/changeset/2107

 -- Stephan Hermann <email address hidden> Wed, 05 Mar 2008 14:04:43 +0100

Changed in lighttpd:
importance: Undecided → Medium
status: Confirmed → Fix Released
Emanuele Gentili (emgent)
Changed in lighttpd:
importance: Undecided → Medium
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
importance: Undecided → Medium
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
importance: Undecided → Medium
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
importance: Undecided → Medium
Emanuele Gentili (emgent)
Changed in lighttpd:
status: New → In Progress
status: New → In Progress
status: New → In Progress
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

After some minor changelog fixes, I have uploaded dapper - gutsy.

Changed in lighttpd:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.2

---------------
lighttpd (1.4.18-1ubuntu1.2) gutsy-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 14:28:27 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.4

---------------
lighttpd (1.4.13-9ubuntu4.4) feisty-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 14:53:26 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.11-3ubuntu3.7) dapper-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 16:32:13 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.13~r1370-1ubuntu1.5) edgy-security; urgency=low

  * SECURITY UPDATE:
   + debian/patches/91_CVE-2008-1111.dpatch:
    - Fixes CVE-2008-1111
      "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the
      source code of CGI scripts instead of a 500 error, which might allow
      remote attackers to obtain sensitive information." (LP: #198731)
  * References
   + http://trac.lighttpd.net/trac/changeset/2107
   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

 -- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 16:14:40 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.