[Secure-testing-commits] r17835 - data/CVE hardening

Tue, 20 Dec 2011 12:18:23 -0800 

Author: nion
Date: 2011-12-20 20:18:13 +0000 (Tue, 20 Dec 2011)
New Revision: 17835

Modified:
   data/CVE/list
   hardening/subgoal-daemons.txt
Log:
CVE-2011-3389/CVE-2011-4362 fixed in lighttpd 1.4.30-1; lighttpd now comes with 
hardening enabled

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2011-12-20 17:44:56 UTC (rev 17834)
+++ data/CVE/list       2011-12-20 20:18:13 UTC (rev 17835)
@@ -1576,7 +1576,7 @@
        [lenny] - libproc-processtable-perl <no-dsa> (Minor issue)
 CVE-2011-4362 [lighttpd signedness issue dos]
        RESERVED
-       - lighttpd <unfixed> (low; bug #652726)
+       - lighttpd 1.4.30-1 (low; bug #652726)
        NOTE: http://openwall.com/lists/oss-security/2011/11/29/8
        NOTE: http://redmine.lighttpd.net/issues/2370
        NOTE: the announcement says that the debian package is not affected, 
but there are no additional patches that would cause different behavior (i.e. 
the base64_reverse_table is the same in debian and upstream), so if upstream is 
affected, so too is the debian package
@@ -4538,6 +4538,7 @@
 CVE-2011-3389 (The SSL protocol, as used in certain configurations in 
Microsoft ...)
        {DSA-2358-1 DSA-2356-1}
        - sun-java6 <unfixed> (bug #645881)
+       - lighttpd 1.4.30-1
        [lenny] - sun-java6 <no-dsa> (Non-free not supported)
        [squeeze] - sun-java6 <no-dsa> (Non-free not supported)
        - openjdk-6 6b23~pre11-1
@@ -4545,6 +4546,7 @@
        - iceweasel <unfixed>
        - chromium-browser <unfixed>
        - webkit <unfixed>
+       NOTE: strictly speaking this is no lighttpd issue, but lighttpd adds a 
workaround
 CVE-2011-3388 (Opera before 11.51 allows remote attackers to cause an insecure 
site ...)
        NOT-FOR-US: Opera
 CVE-2011-3387 (The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote 
...)

Modified: hardening/subgoal-daemons.txt
===================================================================
--- hardening/subgoal-daemons.txt       2011-12-20 17:44:56 UTC (rev 17834)
+++ hardening/subgoal-daemons.txt       2011-12-20 20:18:13 UTC (rev 17835)
@@ -128,7 +128,6 @@
 libchipcard
 libdaemon
 libpam-ssh
-lighttpd
 linux-atm
 linux-igd
 linux-ftpd
@@ -287,6 +286,7 @@
 Resolved/fixed:
 apache2 (>= 2.2.12-1, sometimes partial)
 avahi
+lighttpd (>= 1.4.30-1)
 bind9 (>= 1:9.5.0.dfsg.P2-2)
 loqui (>= 0.5.1-2)
 nagios-plugins (>= 1.4.15-5)


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to