Fedora 9: 2008-11923 Moderate: Lighttpd Memory Leak and Rewrite Bypass

Secure, fast, compliant and very flexible web-server which has been optimized

for high-performance environments. It has a very low memory footprint compared

to other webservers and takes care of cpu-load. Its advanced feature-set

(FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make

it the perfect webserver-software for every server that is suffering load

problems.

Available rpmbuild rebuild options :

--with : gamin webdavprops webdavlocks memcache

--without : ldap gdbm lua (cml)

This update fixes some moderate security issues and includes a few enhancements.

* Wed Dec 24 2008 Matthias Saou 1.4.20-6

- Partially revert last change by creating a "spawn-fastcgi" symlink, so that

nothing breaks currently (especially for EL).

- Install empty poweredby image on RHEL since the symlink's target is missing.

- Split spawn-fcgi off in its own sub-package, have fastcgi package require it

to provide backwards compatibility.

* Mon Dec 22 2008 Matthias Saou 1.4.20-3

- Rename spawn-fastcgi to lighttpd-spawn-fastcgi to avoid clash with other

packages providing it for their own needs (#472749). It's not used as-is

by lighttpd, so it shouldn't be a problem... at worst, some custom scripts

will need to be updated.

* Mon Dec 22 2008 Matthias Saou 1.4.20-2

- Include conf.d/*.conf configuration snippets (#444953).

- Mark the default index.html in order to not loose changes upon upgrade if it

was edited or replaced with a different file (#438564).

- Include patch to add the INIT INFO block to the init script (#246973).

* Mon Oct 13 2008 Matthias Saou 1.4.20-1

- Update to 1.4.20 final.

* Mon Sep 22 2008 Matthias Saou 1.4.20-0.1.r2303

- Update to 1.4.20 r2303 pre-release.

* Mon Sep 22 2008 Matthias Saou 1.4.19-5

- Include memory leak patch (changeset #2305 from ticket #1774).

* Thu Apr 24 2008 Matthias Saou 1.4.19-4

- Merge in second changest from upstream fix for upstream bug #285.

* Thu Mar 27 2008 Matthias Saou 1.4.19-3

- Include sslshutdown patch, upstream fix to upstream bug #285 (#439066).

[ 1 ] Bug #464637 - CVE-2008-4298 lighttpd: memory leak http_request_parse() in request.c

https://bugzilla.redhat.com/show_bug.cgi?id=464637

[ 2 ] Bug #465751 - CVE-2008-4359 lighttpd: bypass of rewrite/redirect rules using encoded urls

https://bugzilla.redhat.com/show_bug.cgi?id=465751

[ 3 ] Bug #465752 - CVE-2008-4360 lighttpd: mod_userdir information disclosure on case-insensitve filesystems

https://bugzilla.redhat.com/show_bug.cgi?id=465752

su -c 'yum update lighttpd' at the command line.

For more information, refer to "Managing Software with yum",

available at .

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/