[Secure-testing-commits] r17835 - data/CVE hardening

Nico Golde nion at alioth.debian.org
Tue Dec 20 20:18:13 UTC 2011 

Author: nion
Date: 2011-12-20 20:18:13 +0000 (Tue, 20 Dec 2011)
New Revision: 17835

Modified:
   data/CVE/list
   hardening/subgoal-daemons.txt
Log:
CVE-2011-3389/CVE-2011-4362 fixed in lighttpd 1.4.30-1; lighttpd now comes with hardening enabled

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2011-12-20 17:44:56 UTC (rev 17834)
+++ data/CVE/list	2011-12-20 20:18:13 UTC (rev 17835)
@@ -1576,7 +1576,7 @@
 	[lenny] - libproc-processtable-perl <no-dsa> (Minor issue)
 CVE-2011-4362 [lighttpd signedness issue dos]
 	RESERVED
-	- lighttpd <unfixed> (low; bug #652726)
+	- lighttpd 1.4.30-1 (low; bug #652726)
 	NOTE: http://openwall.com/lists/oss-security/2011/11/29/8
 	NOTE: http://redmine.lighttpd.net/issues/2370
 	NOTE: the announcement says that the debian package is not affected, but there are no additional patches that would cause different behavior (i.e. the base64_reverse_table is the same in debian and upstream), so if upstream is affected, so too is the debian package
@@ -4538,6 +4538,7 @@
 CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft ...)
 	{DSA-2358-1 DSA-2356-1}
 	- sun-java6 <unfixed> (bug #645881)
+	- lighttpd 1.4.30-1
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
 	[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
 	- openjdk-6 6b23~pre11-1
@@ -4545,6 +4546,7 @@
 	- iceweasel <unfixed>
 	- chromium-browser <unfixed>
 	- webkit <unfixed>
+	NOTE: strictly speaking this is no lighttpd issue, but lighttpd adds a workaround
 CVE-2011-3388 (Opera before 11.51 allows remote attackers to cause an insecure site ...)
 	NOT-FOR-US: Opera
 CVE-2011-3387 (The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote ...)

Modified: hardening/subgoal-daemons.txt
===================================================================
--- hardening/subgoal-daemons.txt	2011-12-20 17:44:56 UTC (rev 17834)
+++ hardening/subgoal-daemons.txt	2011-12-20 20:18:13 UTC (rev 17835)
@@ -128,7 +128,6 @@
 libchipcard
 libdaemon
 libpam-ssh
-lighttpd
 linux-atm
 linux-igd
 linux-ftpd
@@ -287,6 +286,7 @@
 Resolved/fixed:
 apache2 (>= 2.2.12-1, sometimes partial)
 avahi
+lighttpd (>= 1.4.30-1)
 bind9 (>= 1:9.5.0.dfsg.P2-2)
 loqui (>= 0.5.1-2)
 nagios-plugins (>= 1.4.15-5)

More information about the Secure-testing-commits mailing list