Bug 439066 (CVE-2008-1531)

Summary: CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Matthias Saou <matthias>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drees76, matthias
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.4.19-4.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-17 22:28:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 439067, 439068, 439069    
Bug Blocks:    

Description Lubomir Kundrak 2008-03-26 19:57:34 UTC 
Following vulnerability was discovered:

(from Gentoo:)

lighttpd-1.4.19 and earlier contain a bug which can be exploited by a malicious
user to forcefully close foreign SSL connections.

To exploit this, the server has to have SSL support enabled and the attacker
has to trigger an SSL error on his own connection (connecting and disconnecting
before the download has finished is enough).

lighttpd-1.4.19 was supposed to fix the problem, but the fix did not work as
expected, so it is still vulnerable.

The damage, which can be caused by this bug is rather low, I'd say: Firstly,
users can simply reconnect after their connection has been killed, and
secondly, it is hard for an attacker to meet the exact point of time to crash a
user's connection, it is mostly a problem when there are longer-pending
connections such as downloads or keepalive.

References:

http://bugs.gentoo.org/show_bug.cgi?id=214892
Original ticket: http://trac.lighttpd.net/trac/ticket/285#comment:19
Fix: http://trac.lighttpd.net/trac/changeset/2136
Comment 2 Matthias Saou 2008-03-27 10:17:23 UTC 
The original ticket was reopened, as the new fix seems to not be entirely
correct. I'll follow the trac ticket until a proper fix is available.
Comment 3 Lubomir Kundrak 2008-03-27 23:27:44 UTC 
CVE-2008-1531
Comment 4 David Rees 2008-04-14 20:03:07 UTC 
Looking at the upstream ticket, it looks like this issue is resolved.

Matthias, can you review? Is lighttpd planning a 1.4.20 release soon which
includes the fix?
Comment 5 Fedora Update System 2008-04-24 15:43:49 UTC 
lighttpd-1.4.19-4.fc8 has been submitted as an update for Fedora 8
Comment 6 Fedora Update System 2008-04-24 15:44:06 UTC 
lighttpd-1.4.19-4.fc7 has been submitted as an update for Fedora 7
Comment 7 Fedora Update System 2008-04-29 20:53:49 UTC 
lighttpd-1.4.19-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-04-29 20:57:15 UTC 
lighttpd-1.4.19-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 David Rees 2008-05-15 00:00:08 UTC 
lighttpd 1.4.19-4 is missing from the Fedora 9 repos. Looking on koji, it was
built for F7, F8 and F10, but not F9. The latest version in F9 is 1.4.19-2.fc9.

With it missing I am not able to upgrade from Fedora 8 to Fedora 9 using yum.
Comment 10 Fedora Update System 2008-05-17 22:28:06 UTC 
lighttpd-1.4.19-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.