LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2007-2132 (lighttpd)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 7 Update: lighttpd-1.4.18-1.fc7


Date:
    	      Wed, 12 Sep 2007 09:43:05 -0700


Message-ID:
    	      <200709121643.l8CGgm9g001509@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2132
2007-09-12 09:43:02.466839
--------------------------------------------------------------------------------

Name        : lighttpd
Product     : Fedora 7
Version     : 1.4.18
Release     : 1.fc7
Summary     : Lightning fast webserver with light system requirements
Description :
Secure, fast, compliant and very flexible web-server which has been optimized
for high-performance environments. It has a very low memory footprint compared
to other webservers and takes care of cpu-load. Its advanced feature-set
(FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make
it the perfect webserver-software for every server that is suffering load
problems.

Available rpmbuild rebuild options :
--with : gamin webdavprops webdavlocks memcache
--without : ldap gdbm lua (cml)

--------------------------------------------------------------------------------
Update Information:

Lighttpd (1.4.17 and earlier) is prone to a header overflow when using the mod_fastcgi extension,
this can lead to arbitrary code execution in the fastcgi application. This 1.4.18 update fixes the
issue.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Sep 10 2007 Matthias Saou <http://freshrpms.net/> 1.4.18-1
- Update to 1.4.18.
- Include newly installed lighttpd-angel ("angel" process meant to always run
  as root and restart lighttpd when it crashes, spawn processes on SIGHUP), but
  it's in testing stage and must be run with -D for now.
* Wed Sep  5 2007 Matthias Saou <http://freshrpms.net/> 1.4.17-1
- Update to 1.4.17.
- Update defaultconf patch to match new example configuration.
- Include patch to fix log file rotation with max-workers set (trac #902).
- Add /var/run/lighttpd/ directory where to put fastcgi sockets.
* Thu Aug 23 2007 Matthias Saou <http://freshrpms.net/> 1.4.16-3
- Add /usr/bin/awk build requirement, used to get LIGHTTPD_VERSION_ID.
* Wed Aug 22 2007 Matthias Saou <http://freshrpms.net/> 1.4.16-2
- Rebuild to fix wrong execmem requirement on ppc32.
* Thu Jul 26 2007 Matthias Saou <http://freshrpms.net/> 1.4.16-1
- Update to 1.4.16 security fix release.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #284511
        https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=284511
  [ 2 ] CVE-2007-4727
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200...
--------------------------------------------------------------------------------
Updated packages:

10a186bdb8c9a47f16c708d63d51f20efc5e4b42 lighttpd-fastcgi-1.4.18-1.fc7.ppc64.rpm
c60e37fa4b3a42d6da0116714955d401097b9340 lighttpd-1.4.18-1.fc7.ppc64.rpm
bd673b2a76dc9d5f4cae227be3675e2f07bd6a8f lighttpd-mod_mysql_vhost-1.4.18-1.fc7.ppc64.rpm
e84db23894b037196eec0c0b6abdb04e11925725 lighttpd-debuginfo-1.4.18-1.fc7.ppc64.rpm
890545f7dce17ccea1444fe2b33fcb6dadde9d1a lighttpd-debuginfo-1.4.18-1.fc7.i386.rpm
6e2e3d3e32c39d64556b920341b2ab25a57824ba lighttpd-fastcgi-1.4.18-1.fc7.i386.rpm
fc7b7a1449bb4e5dd7b6b6fda323b92bb602c25f lighttpd-mod_mysql_vhost-1.4.18-1.fc7.i386.rpm
5d470de19a7bee52b5238e26b0fd452b1c424fc8 lighttpd-1.4.18-1.fc7.i386.rpm
388073708e0ed17551cc01e7f34abaa66ab5f091 lighttpd-fastcgi-1.4.18-1.fc7.x86_64.rpm
af1f66dd36b1f0b3f7bb6121ea46347ff93ea8c7 lighttpd-debuginfo-1.4.18-1.fc7.x86_64.rpm
45ff6e353b45ebac9deb710a54f27314c94b8533 lighttpd-1.4.18-1.fc7.x86_64.rpm
807db4d7f0b2521d8f19f915d56ae4ae7b9f66dd lighttpd-mod_mysql_vhost-1.4.18-1.fc7.x86_64.rpm
f9fbf72140a0dcb2a3a2a3f1f10f81ad094a1394 lighttpd-debuginfo-1.4.18-1.fc7.ppc.rpm
c698a9db52d4dabaebe1013d54edb2ac5b608e07 lighttpd-fastcgi-1.4.18-1.fc7.ppc.rpm
50089c0688928391bdf6d714b0c61b5cb692398c lighttpd-1.4.18-1.fc7.ppc.rpm
f51a6530a0329cedaef42b49e9cac606142caa47 lighttpd-mod_mysql_vhost-1.4.18-1.fc7.ppc.rpm
f8d88f6c1a04ff4044f1e379d2cf854c17290176 lighttpd-1.4.18-1.fc7.src.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds