Lighthttpd vulnerability CVE-2011-4362
-
One of the hotels I support was just a part of a PCI scan, and CVE-2011-4362 came up. http://security-tracker.debian.org/tracker/CVE-2011-4362 I do not think it applies to FreeBSD but I can not find any documentation to that effect. But is there any way to get a patched rolled out? Convincing reality to PCI compliance scanners is a serious challenge.
PS: Oh, and Hi. I am the Lee Sharp from the M0n0wall project. Been using pfSense in a few places where dual WAN is a nice thing. :)
-
If you're going to touch lighttpd, please consider adding:
1. mod_evasive
2. url.redirect-code support (to be able to specify http code 302 instead of 301 for redirects). Last time I checked (~9 months ago) it required either lighttpd 1.5.0 or a patch for 1.4.x to work … -
Bumping lighty's version for a CVE is probably in the cards, but adding features is not something that would be done during a security update.
-
Just bumped lighty to 1.4.31, will be in the next round of snapshots (2.0.2 and 2.1)
-
Apparently (according to http://redmine.lighttpd.net/issues/2247) the latter feature is now part of 1.4.31 so I'm good.
-
Any eta on 2.0.2?
I have MasterCard breathing down my neck… ;D
-
Apparently (according to http://redmine.lighttpd.net/issues/2247) the latter feature is now part of 1.4.31 so I'm good.
Hmm, seems to be missing mod_setenv (http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModSetEnv). Any chance to add mod_setenv to the default install ?
PS: The reason for asking is because last year I did some testing for possible CP bottlenecks, and one idea I tried was to do the CP http -> https redirect using only lighttpd, rather than php. In that setup I used mod_setenv to set the various no-cache headers.
-
2.0.2 will be any time now… every time I think it's ready someone finds another thing to fix (like a lighty cve ;-)
As for setenv open a feature req ticket. Not sure.
-
Looks like lighttpd 1.4.31 is working fine in the 2.0.2 and 2.1 snapshots, so this should be resolved unless someone else finds a problem with it.
