Bug 439066 - (CVE-2008-1531) CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error
CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Matthias Saou
: Security
Depends On: 439067 439068 439069
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-26 15:57 EDT by Lubomir Kundrak
Modified: 2008-05-17 18:28 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.4.19-4.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-17 18:28:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2008-03-26 15:57:34 EDT
Following vulnerability was discovered:

(from Gentoo:)

lighttpd-1.4.19 and earlier contain a bug which can be exploited by a malicious
user to forcefully close foreign SSL connections.

To exploit this, the server has to have SSL support enabled and the attacker
has to trigger an SSL error on his own connection (connecting and disconnecting
before the download has finished is enough).

lighttpd-1.4.19 was supposed to fix the problem, but the fix did not work as
expected, so it is still vulnerable.

The damage, which can be caused by this bug is rather low, I'd say: Firstly,
users can simply reconnect after their connection has been killed, and
secondly, it is hard for an attacker to meet the exact point of time to crash a
user's connection, it is mostly a problem when there are longer-pending
connections such as downloads or keepalive.

References:

http://bugs.gentoo.org/show_bug.cgi?id=214892
Original ticket: http://trac.lighttpd.net/trac/ticket/285#comment:19
Fix: http://trac.lighttpd.net/trac/changeset/2136
Comment 2 Matthias Saou 2008-03-27 06:17:23 EDT
The original ticket was reopened, as the new fix seems to not be entirely
correct. I'll follow the trac ticket until a proper fix is available.
Comment 3 Lubomir Kundrak 2008-03-27 19:27:44 EDT
CVE-2008-1531
Comment 4 David Rees 2008-04-14 16:03:07 EDT
Looking at the upstream ticket, it looks like this issue is resolved.

Matthias, can you review? Is lighttpd planning a 1.4.20 release soon which
includes the fix?
Comment 5 Fedora Update System 2008-04-24 11:43:49 EDT
lighttpd-1.4.19-4.fc8 has been submitted as an update for Fedora 8
Comment 6 Fedora Update System 2008-04-24 11:44:06 EDT
lighttpd-1.4.19-4.fc7 has been submitted as an update for Fedora 7
Comment 7 Fedora Update System 2008-04-29 16:53:49 EDT
lighttpd-1.4.19-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-04-29 16:57:15 EDT
lighttpd-1.4.19-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 David Rees 2008-05-14 20:00:08 EDT
lighttpd 1.4.19-4 is missing from the Fedora 9 repos. Looking on koji, it was
built for F7, F8 and F10, but not F9. The latest version in F9 is 1.4.19-2.fc9.

With it missing I am not able to upgrade from Fedora 8 to Fedora 9 using yum.
Comment 10 Fedora Update System 2008-05-17 18:28:06 EDT
lighttpd-1.4.19-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.