Description of problem: Version 1.4.31 is known to have a severe security hole allowing remote attackers push lighttpd into an infinity loop. 1.4.32 is out since last November with a fix for this vulnerability. Version-Release number of selected component (if applicable): 1.4.31-1.el6 How reproducible: Look at the version number in the repo. Steps to Reproduce: 1. add the EPEL repo. 2. yum list lighttpd. Actual results: Installing a web server with a known security hole. Expected results: Installing a web server withOUT a known security hole. That is, lighttpd 1.4.32. Additional info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533 http://www.lighttpd.net/
Confirmed on: lighttpd-1.4.31-1.el5 lighttpd-1.4.31-1.el6 Duplicate of bug 878915. Bug 878213 is related.
(In reply to Anssi Johansson from comment #1) > Confirmed on: > lighttpd-1.4.31-1.el5 > lighttpd-1.4.31-1.el6 > > Duplicate of bug 878915. > > Bug 878213 is related. indeed. moved my whining over to bug 878915. but what happened? matthias saou disappeared without a trace, and no one took up maintaining this package?
lighttpd-1.4.34-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/lighttpd-1.4.34-1.el6
lighttpd-1.4.34-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/lighttpd-1.4.34-1.fc19
lighttpd-1.4.34-1.el5.1 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/lighttpd-1.4.34-1.el5.1
lighttpd-1.4.34-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/lighttpd-1.4.34-1.fc20
Package lighttpd-1.4.34-1.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing lighttpd-1.4.34-1.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0465/lighttpd-1.4.34-1.el6 then log in and leave karma (feedback).
lighttpd-1.4.34-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/lighttpd-1.4.34-3.fc20
lighttpd-1.4.34-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/lighttpd-1.4.34-3.fc19
lighttpd-1.4.34-1.el5.1 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.34-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.34-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.34-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.