[pkg-lighttpd] httpoxy Security Vulnerability in Lighttpd
Timo Sigurdsson
public_timo.s at silentcreek.de
Wed Jul 27 14:43:04 UTC 2016
Hi,
Yves-Alexis Perez schrieb am 26.07.2016 21:52:
> On mer., 2016-07-20 at 12:09 +0200, Timo Sigurdsson wrote:
>>
>> as the HTTPOXY vulnerability is gaining media attention [1] and the upstream
>> maintainers of Lighttpd already having applied a patch for the issue in
>> their source repository [2], I was wondering if the patch will be backported
>> to the Lighttpd packages available in Debian. Since I'm not a developer, I
>> cannot assess to which extent this is possible or even neccessary for the
>> versions shipped in Debian, but I thought I might ask and point you to it,
>> in case you haven't noticed yet. Thank you!
>
> Hi,
>
> since the bug is public, please open a bug on the Debian BTS (if there's not
> one already) providing the details you have, so someone can work on an update
> for the current supported releases.
>
I see Salvatore Bonaccorso filed a bug already this morning [1]. And the Security Tracker lists an open CVE for lighttpd now as well.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832571
[2] https://security-tracker.debian.org/tracker/CVE-2016-1000212
The patch is also linked there, so I guess there nothing more to add. Now, hopefully, somebody (more skilled than me) finds time to work on this at some point.
Thanks and kind regards,
Timo
More information about the pkg-lighttpd-maintainers
mailing list