439066 – (CVE-2008-1531) CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error

Bug 439066 (CVE-2008-1531) - CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error

Summary: CVE-2008-1531 lighttpd closes unrelated SSL connections on SSL error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2008-1531
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Matthias Saou
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	439067 439068 439069
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-26 19:57 UTC by Lubomir Kundrak
Modified:	2008-05-17 22:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:	1.4.19-4.fc9
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-17 22:28:14 UTC
Embargoed:

Attachments	(Terms of Use)

Description Lubomir Kundrak 2008-03-26 19:57:34 UTC

Following vulnerability was discovered:

(from Gentoo:)

lighttpd-1.4.19 and earlier contain a bug which can be exploited by a malicious
user to forcefully close foreign SSL connections.

To exploit this, the server has to have SSL support enabled and the attacker
has to trigger an SSL error on his own connection (connecting and disconnecting
before the download has finished is enough).

lighttpd-1.4.19 was supposed to fix the problem, but the fix did not work as
expected, so it is still vulnerable.

The damage, which can be caused by this bug is rather low, I'd say: Firstly,
users can simply reconnect after their connection has been killed, and
secondly, it is hard for an attacker to meet the exact point of time to crash a
user's connection, it is mostly a problem when there are longer-pending
connections such as downloads or keepalive.

References:

http://bugs.gentoo.org/show_bug.cgi?id=214892
Original ticket: http://trac.lighttpd.net/trac/ticket/285#comment:19
Fix: http://trac.lighttpd.net/trac/changeset/2136

Comment 2 Matthias Saou 2008-03-27 10:17:23 UTC

The original ticket was reopened, as the new fix seems to not be entirely
correct. I'll follow the trac ticket until a proper fix is available.

Comment 3 Lubomir Kundrak 2008-03-27 23:27:44 UTC

CVE-2008-1531

Comment 4 David Rees 2008-04-14 20:03:07 UTC

Looking at the upstream ticket, it looks like this issue is resolved.

Matthias, can you review? Is lighttpd planning a 1.4.20 release soon which
includes the fix?

Comment 5 Fedora Update System 2008-04-24 15:43:49 UTC

lighttpd-1.4.19-4.fc8 has been submitted as an update for Fedora 8

Comment 6 Fedora Update System 2008-04-24 15:44:06 UTC

lighttpd-1.4.19-4.fc7 has been submitted as an update for Fedora 7

Comment 7 Fedora Update System 2008-04-29 20:53:49 UTC

lighttpd-1.4.19-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-04-29 20:57:15 UTC

lighttpd-1.4.19-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 David Rees 2008-05-15 00:00:08 UTC

lighttpd 1.4.19-4 is missing from the Fedora 9 repos. Looking on koji, it was
built for F7, F8 and F10, but not F9. The latest version in F9 is 1.4.19-2.fc9.

With it missing I am not able to upgrade from Fedora 8 to Fedora 9 using yum.

Comment 10 Fedora Update System 2008-05-17 22:28:06 UTC

lighttpd-1.4.19-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.