Author: nion
Date: 2011-12-20 20:18:13 +0000 (Tue, 20 Dec 2011)
New Revision: 17835
Modified:
data/CVE/list
hardening/subgoal-daemons.txt
Log:
CVE-2011-3389/CVE-2011-4362 fixed in lighttpd 1.4.30-1; lighttpd now comes with
hardening enabled
Modified: data/CVE/list
==================================================================---
data/CVE/list 2011-12-20 17:44:56 UTC (rev 17834)
+++ data/CVE/list 2011-12-20 20:18:13 UTC (rev 17835)
@@ -1576,7 +1576,7 @@
[lenny] - libproc-processtable-perl <no-dsa> (Minor issue)
CVE-2011-4362 [lighttpd signedness issue dos]
RESERVED
- - lighttpd <unfixed> (low; bug #652726)
+ - lighttpd 1.4.30-1 (low; bug #652726)
NOTE: http://openwall.com/lists/oss-security/2011/11/29/8
NOTE: http://redmine.lighttpd.net/issues/2370
NOTE: the announcement says that the debian package is not affected, but there
are no additional patches that would cause different behavior (i.e. the
base64_reverse_table is the same in debian and upstream), so if upstream is
affected, so too is the debian package
@@ -4538,6 +4538,7 @@
CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft
...)
{DSA-2358-1 DSA-2356-1}
- sun-java6 <unfixed> (bug #645881)
+ - lighttpd 1.4.30-1
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
@@ -4545,6 +4546,7 @@
- iceweasel <unfixed>
- chromium-browser <unfixed>
- webkit <unfixed>
+ NOTE: strictly speaking this is no lighttpd issue, but lighttpd adds a
workaround
CVE-2011-3388 (Opera before 11.51 allows remote attackers to cause an insecure
site ...)
NOT-FOR-US: Opera
CVE-2011-3387 (The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote
...)
Modified: hardening/subgoal-daemons.txt
==================================================================---
hardening/subgoal-daemons.txt 2011-12-20 17:44:56 UTC (rev 17834)
+++ hardening/subgoal-daemons.txt 2011-12-20 20:18:13 UTC (rev 17835)
@@ -128,7 +128,6 @@
libchipcard
libdaemon
libpam-ssh
-lighttpd
linux-atm
linux-igd
linux-ftpd
@@ -287,6 +286,7 @@
Resolved/fixed:
apache2 (>= 2.2.12-1, sometimes partial)
avahi
+lighttpd (>= 1.4.30-1)
bind9 (>= 1:9.5.0.dfsg.P2-2)
loqui (>= 0.5.1-2)
nagios-plugins (>= 1.4.15-5)