-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0356 -- [Debian]
                New lighttpd packages fix denial of service
                               24 July 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              lighttpd
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1531

Ref:                  ESB-2008.0336

Original Bulletin:    http://www.debian.org/security/2008/dsa-1540

Revision History:     July  24 2008: Update fixes previous regression
                      April 16 2008: Latest update fixes a previous
                                     regression which caused SSL failures
                      April  8 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1540-3                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
July 23, 2008                         http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : lighttpd
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-1531

This update fixes a regression in lighttpd introduced in DSA-1540,
causing SSL failures. For reference the original advisory text is
quoted below.

It was discovered that lighttpd, a fast webserver with minimal memory
footprint, was didn't correctly handle SSL errors.  This could allow
a remote attacker to disconnect all active SSL connections.

For the stable distribution (etch), this problem has been fixed in
version 1.4.13-4etch10.

We recommend that you upgrade your lighttpd package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.diff.gz
    Size/MD5 checksum:    36023 5421eda86388cddf30348ee39c8b2059
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
    Size/MD5 checksum:   793309 3a64323b8482b0e8a6246dbfdb4c39dc
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.dsc
    Size/MD5 checksum:     1392 6011ac4224ab8ff0c1c9355f30ab11a9

Architecture independent packages:

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch10_all.deb
    Size/MD5 checksum:   100096 416759ae3a223ab799bbc7b264329600

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_alpha.deb
    Size/MD5 checksum:   319874 0b138412935fb92f57bf968d075a05c1
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_alpha.deb
    Size/MD5 checksum:    64968 5357d1c9aad4f5f5c03016d708670164
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_alpha.deb
    Size/MD5 checksum:    65408 03933a616584ab63c0e59e652856b99c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_alpha.deb
    Size/MD5 checksum:    60148 8ed6ab0f02706ba339813f160cac356d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_alpha.deb
    Size/MD5 checksum:    61924 7171b0c3a9542b33a73b38e9b2ac516d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_alpha.deb
    Size/MD5 checksum:    71890 3d4973ba1c5e8d4938a35f7247e1cdbf

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_amd64.deb
    Size/MD5 checksum:    70182 7ab5aa294cc9a9949ec81c850dddafee
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_amd64.deb
    Size/MD5 checksum:    60978 961bc12a093309e50684188b2e948461
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_amd64.deb
    Size/MD5 checksum:    64116 c745249a7e7e42d0abdd3c7761ffb086
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_amd64.deb
    Size/MD5 checksum:    59368 aceae8b5e32229cf22de3d3b34344ba9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_amd64.deb
    Size/MD5 checksum:   297762 f6cf537e673702bc7f801a697368a5bc
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_amd64.deb
    Size/MD5 checksum:    63822 9345b068868eb6209ec440d58ce86c55

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_arm.deb
    Size/MD5 checksum:   286920 d13637f537de06b137194407064ac0a9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_arm.deb
    Size/MD5 checksum:    69928 a3f8604454dcdd7c7b8ae9f11302e833
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_arm.deb
    Size/MD5 checksum:    61044 773180da5b9fc10d1d9d2dd414249ff5
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_arm.deb
    Size/MD5 checksum:    58916 c794ba700e98dacb27bab69f64c9e149
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_arm.deb
    Size/MD5 checksum:    63308 5e657e92c3da9916dbbaee9c4a03f018
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_arm.deb
    Size/MD5 checksum:    63104 08e2941228b962c26c3a32bf0e86d32a

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_hppa.deb
    Size/MD5 checksum:    60160 69f1cd388dd12927944a18bc13ac2bfd
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_hppa.deb
    Size/MD5 checksum:    65266 01e1a4431148a150b7f9d8a7686c00f2
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_hppa.deb
    Size/MD5 checksum:    62150 0330b4725c3f6d0c3cd75c52d568a555
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_hppa.deb
    Size/MD5 checksum:    65772 cd104584c07c3a20e476c4ab2bc16031
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_hppa.deb
    Size/MD5 checksum:    73212 53e4b9752c555a2fd0b415d37f62c3f0
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_hppa.deb
    Size/MD5 checksum:   324330 2d95d0da6c2b87dbf0b985eb1ab8f807

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_i386.deb
    Size/MD5 checksum:   285396 caed89abf2b41aa96f854f391eeab7dd
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_i386.deb
    Size/MD5 checksum:    64088 8747d075d8b21d458e54cd08fa7e02b1
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_i386.deb
    Size/MD5 checksum:    59226 71056ae49ca30f121a53196e801a6909
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_i386.deb
    Size/MD5 checksum:    60962 a5f38b66f5375006217d89e7dd0290be
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_i386.deb
    Size/MD5 checksum:    63880 f5d9d6d0df4bde78a971363fcd91bd2e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_i386.deb
    Size/MD5 checksum:    71204 4b26fd15200ef37037762c2f48d58ca1

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_ia64.deb
    Size/MD5 checksum:    61422 0c2d54f7b9b8aa11899ef4a3e312690e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_ia64.deb
    Size/MD5 checksum:    63300 8fbe3eb055b99f3834b2dfb58f7ff070
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_ia64.deb
    Size/MD5 checksum:    67756 a5c0845befc3de72d9e2289e90384f64
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_ia64.deb
    Size/MD5 checksum:    77322 091bff45fac447c7bd5288c6cdf56b20
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_ia64.deb
    Size/MD5 checksum:    67606 b1325f224d1b54eb65f2125e98e82424
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_ia64.deb
    Size/MD5 checksum:   403688 ae0e8104305b96517d08f5aea77a4606

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_mips.deb
    Size/MD5 checksum:    60232 724ec494cc69548b8890880b7d248dba
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_mips.deb
    Size/MD5 checksum:    58848 3a6d7d458cb1c949115d3ad12d562138
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_mips.deb
    Size/MD5 checksum:    62926 193df4731bdc1ee1073714abe1d29114
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_mips.deb
    Size/MD5 checksum:    62800 e4c88318acfbe7f050ea4f1ed4681ebb
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_mips.deb
    Size/MD5 checksum:    69510 3f5b26527058dd16c4655c0ecde35512
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_mips.deb
    Size/MD5 checksum:   296630 75f466488f83f207f40e6f4f5f46574e

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_mipsel.deb
    Size/MD5 checksum:    61016 abe2b0c52a6296920a2e2fce95349202
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_mipsel.deb
    Size/MD5 checksum:   297784 e8a0ff63ef6a03ac95cf7c40b8e1b430
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_mipsel.deb
    Size/MD5 checksum:    59536 76c9889ec0027e00d9afe83d092d0d83
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_mipsel.deb
    Size/MD5 checksum:    63806 7b2d63f55b325ea9a1412a1c570dd3a3
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_mipsel.deb
    Size/MD5 checksum:    70284 be38504e52300160c540dc6bcd41430e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_mipsel.deb
    Size/MD5 checksum:    63632 9ab20f0ac90dec49e4821bf2e3f2e352

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_powerpc.deb
    Size/MD5 checksum:    65662 914158dc357223cfbcdf4d8dccaa0750
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_powerpc.deb
    Size/MD5 checksum:   324318 ed2ab4940c84fa3d7f1a50f713a4f2a9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_powerpc.deb
    Size/MD5 checksum:    65382 895629ee1afc700d0df7977329708327
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_powerpc.deb
    Size/MD5 checksum:    60898 b93e6ec96fc740ee8d5c41f42cf61775
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_powerpc.deb
    Size/MD5 checksum:    62720 ddfda8e2b596cc362e13374f0b3184c0
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_powerpc.deb
    Size/MD5 checksum:    72022 c36a5c17592f362d264da046c86719f4

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_s390.deb
    Size/MD5 checksum:    59834 b3b2274d0693571453277e07b007d317
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_s390.deb
    Size/MD5 checksum:   307604 efdcb28b7c72dd651fbef3cd29c0b2b0
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_s390.deb
    Size/MD5 checksum:    64888 5ee5c58eb8137e16d7cc5a5051e1e681
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_s390.deb
    Size/MD5 checksum:    61336 97649501fee31f896dbf0a04bc557e67
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_s390.deb
    Size/MD5 checksum:    64498 d808433a519c3b935e3377be7fe3200b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_s390.deb
    Size/MD5 checksum:    71628 b3157f215944ad2e823bfe3faa0d1850

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_sparc.deb
    Size/MD5 checksum:    70228 f5e3eaf4c778339568a0e5a4b50a2c71
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_sparc.deb
    Size/MD5 checksum:    60764 d994ef00d45e45df2903629946c0b631
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_sparc.deb
    Size/MD5 checksum:    63660 5b044502ef80613f1cd9a713ac4cf90c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_sparc.deb
    Size/MD5 checksum:   284744 a56972a3ea97aa4189ada9abec79a4be
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_sparc.deb
    Size/MD5 checksum:    59114 db674bf22be34eead049277cc5882d66
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_sparc.deb
    Size/MD5 checksum:    63682 2b3f4d7c52fe9cc8c9122df0bd46f7c3


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSId/FWz0hbPcukPfAQIAeQf/QzBpCctDMr4FGAcuzcXqcozR2/7UXkRU
vfuXSf8iDaItZVUXvUa1Hxt3TuT+1PYEB2uBKWrMpbq8QVp1CIFJdj+4P7z1vjO9
ezezsAu3+Uv91L0OzPgNixjbUQDtNG65/6ZUvXR4UkHoFKva8yUj7BG6pzA0f3Jq
BTyiLiAW23kjENWPvG3PdMPOVYIJsnsKHiwjuCHLw1M7aWjFubld+cacKa6RHc+3
RlQXSgziioYE5hzKdlSYN9tGrWK6qLO4eGcJ/K+t7uLaKrv4IplElsLGzrjqKi8o
BYvxGLyjt7slbF2Fe+8eedoIq7LKubOfMhGtoqkk78v1D2up7Ceffg==
=s+WC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSIfOpCh9+71yA2DNAQKHrgP/YJY2yFNfk+0eIh71rmiqPLCuhFyrL7Gt
Cp35OL4SVAj6DO9Pt5Rz5xND3r61oLmCUlCocp772EAfJNiT+iehtcrukLllgwAi
oXEndB02DZ+fsMjMJqz5egrrX+/zXTbUc6ef63I6/o3pUe9WHdmuC90GLQ3pS91j
pKxKtBJ2qJU=
=Ai3+
-----END PGP SIGNATURE-----