Red Hat Bugzilla – Bug 439066
CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error
Last modified: 2008-05-17 18:28:14 EDT
Following vulnerability was discovered:
lighttpd-1.4.19 and earlier contain a bug which can be exploited by a malicious
user to forcefully close foreign SSL connections.
To exploit this, the server has to have SSL support enabled and the attacker
has to trigger an SSL error on his own connection (connecting and disconnecting
before the download has finished is enough).
lighttpd-1.4.19 was supposed to fix the problem, but the fix did not work as
expected, so it is still vulnerable.
The damage, which can be caused by this bug is rather low, I'd say: Firstly,
users can simply reconnect after their connection has been killed, and
secondly, it is hard for an attacker to meet the exact point of time to crash a
user's connection, it is mostly a problem when there are longer-pending
connections such as downloads or keepalive.
Original ticket: http://trac.lighttpd.net/trac/ticket/285#comment:19
The original ticket was reopened, as the new fix seems to not be entirely
correct. I'll follow the trac ticket until a proper fix is available.
Looking at the upstream ticket, it looks like this issue is resolved.
Matthias, can you review? Is lighttpd planning a 1.4.20 release soon which
includes the fix?
lighttpd-1.4.19-4.fc8 has been submitted as an update for Fedora 8
lighttpd-1.4.19-4.fc7 has been submitted as an update for Fedora 7
lighttpd-1.4.19-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.19-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd 1.4.19-4 is missing from the Fedora 9 repos. Looking on koji, it was
built for F7, F8 and F10, but not F9. The latest version in F9 is 1.4.19-2.fc9.
With it missing I am not able to upgrade from Fedora 8 to Fedora 9 using yum.
lighttpd-1.4.19-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.