Following vulnerability was discovered: (from Gentoo:) lighttpd-1.4.19 and earlier contain a bug which can be exploited by a malicious user to forcefully close foreign SSL connections. To exploit this, the server has to have SSL support enabled and the attacker has to trigger an SSL error on his own connection (connecting and disconnecting before the download has finished is enough). lighttpd-1.4.19 was supposed to fix the problem, but the fix did not work as expected, so it is still vulnerable. The damage, which can be caused by this bug is rather low, I'd say: Firstly, users can simply reconnect after their connection has been killed, and secondly, it is hard for an attacker to meet the exact point of time to crash a user's connection, it is mostly a problem when there are longer-pending connections such as downloads or keepalive. References: http://bugs.gentoo.org/show_bug.cgi?id=214892 Original ticket: http://trac.lighttpd.net/trac/ticket/285#comment:19 Fix: http://trac.lighttpd.net/trac/changeset/2136
The original ticket was reopened, as the new fix seems to not be entirely correct. I'll follow the trac ticket until a proper fix is available.
CVE-2008-1531
Looking at the upstream ticket, it looks like this issue is resolved. Matthias, can you review? Is lighttpd planning a 1.4.20 release soon which includes the fix?
lighttpd-1.4.19-4.fc8 has been submitted as an update for Fedora 8
lighttpd-1.4.19-4.fc7 has been submitted as an update for Fedora 7
lighttpd-1.4.19-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.19-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd 1.4.19-4 is missing from the Fedora 9 repos. Looking on koji, it was built for F7, F8 and F10, but not F9. The latest version in F9 is 1.4.19-2.fc9. With it missing I am not able to upgrade from Fedora 8 to Fedora 9 using yum.
lighttpd-1.4.19-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.