{"update": {"autokarma": true, "autotime": false, "stable_karma": 3, "stable_days": 0, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "Patch for CVE-2016-1000212.\n\n----\n\nConnection state patch.\n\n----\n\nPatch for ipv6 blocking bug.\n\n----\n\n1.4.40\nhttps://www.lighttpd.net/2016/7/16/1.4.40/", "type": "security", "status": "obsolete", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": false, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2016-07-27 14:18:42", "date_modified": null, "date_approved": null, "date_testing": "2016-07-28 04:05:07", "date_stable": null, "alias": "FEDORA-EPEL-2016-dbaaa35f43", "test_gating_status": null, "from_tag": null, "date_pushed": "2016-07-28 04:05:07", "meets_testing_requirements": false, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-dbaaa35f43", "title": "lighttpd-1.4.40-4.el7", "version_hash": "d27a90e48217dc482cff1ca96414159cc9cf00be", "release": {"name": "EPEL-7", "long_name": "Fedora EPEL 7", "version": "7", "id_prefix": "FEDORA-EPEL", "branch": "epel7", "dist_tag": "epel7", "stable_tag": "epel7", "testing_tag": "epel7-testing", "candidate_tag": "epel7-testing-candidate", "pending_signing_tag": "epel7-signing-pending", "pending_testing_tag": "epel7-testing-pending", "pending_stable_tag": "epel7-pending", "override_tag": "epel7-override", "mail_template": "fedora_epel_legacy_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "unspecified", "testing_repository": null, "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "limb", "email": "gwync@protonmail.com", "id": 134, "avatar": "https://seccdn.libravatar.org/avatar/620da77fd218195ab689baa12f7235abc3b46837d32e695752381cc8df44c568?s=24&d=retro", "openid": "limb.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "releng-team"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "sysadmin"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-devel"}, {"name": "sysadmin-cvs"}, {"name": "packaging-committee"}, {"name": "libreoffice-sig"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by limb. ", "timestamp": "2016-07-27 14:18:42", "update_id": 63326, "user_id": 91, "id": 464025, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has obsoleted [lighttpd-1.4.40-3.el7](https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-b78bc3ff43), and has inherited its bugs and notes.", "timestamp": "2016-07-27 14:18:55", "update_id": 63326, "user_id": 91, "id": 464031, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2016-07-28 04:09:19", "update_id": 63326, "user_id": 91, "id": 464348, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been obsoleted by [lighttpd-1.4.41-1.el7](https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-cfff493617).", "timestamp": "2016-08-01 14:29:46", "update_id": 63326, "user_id": 91, "id": 465760, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "lighttpd-1.4.40-4.el7", "signed": true, "release_id": 8, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 1357238, "title": "lighttpd-1.4.40 is available", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 462010, "bug_id": 1357238, "comment": {"karma": 0, "karma_critpath": 0, "text": "I was hit by https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/cd33554b74fd39ecd2e7c367070534da178d5147 -- I had blocked a few IPv6 addresses from our site, and that config prevented restarting lighttpd. Modifying the config to have the IPv6 address in square brackets made lighttpd start properly, but the IPv6 addresses were no longer blocked. The linked patch should fix this regression. If someone uses $HTTP[\"remoteip\"] for some real ACL purpose with IPv6 addresses, this bug is a bit nasty.", "timestamp": "2016-07-21 07:23:46", "update_id": 62820, "user_id": 362, "id": 462010, "testcase_feedback": [], "user": {"name": "avij", "email": "rhbugs@miuku.net", "id": 362, "avatar": "https://seccdn.libravatar.org/avatar/074523ceead6e81c550613e6e97dcf90da56f4b8d3395a1841fc4e708f66319e?s=24&d=retro", "openid": "avij.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 462116, "bug_id": 1357238, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thank you, I'll get out a patched version.", "timestamp": "2016-07-21 14:00:06", "update_id": 62820, "user_id": 134, "id": 462116, "testcase_feedback": [], "user": {"name": "limb", "email": "gwync@protonmail.com", "id": 134, "avatar": "https://seccdn.libravatar.org/avatar/620da77fd218195ab689baa12f7235abc3b46837d32e695752381cc8df44c568?s=24&d=retro", "openid": "limb.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "releng-team"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "sysadmin"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-devel"}, {"name": "sysadmin-cvs"}, {"name": "packaging-committee"}, {"name": "libreoffice-sig"}]}}}, {"karma": 0, "comment_id": 462171, "bug_id": 1357238, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks for the quick fix. Another issue that I ran into today was that lighttpd 1.4.40 seems to have a bug that keeps some connections in FIN_WAIT2 state, as seen in http://miuku.net/tmp/users-day.png -- supposedly this will cause problems once the connection count reaches server.max-connections. This has been fixed in https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/cb468d333cd029b7b7463a17409e16ebf01f5711", "timestamp": "2016-07-21 17:09:10", "update_id": 62962, "user_id": 362, "id": 462171, "testcase_feedback": [], "user": {"name": "avij", "email": "rhbugs@miuku.net", "id": 362, "avatar": "https://seccdn.libravatar.org/avatar/074523ceead6e81c550613e6e97dcf90da56f4b8d3395a1841fc4e708f66319e?s=24&d=retro", "openid": "avij.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 462172, "bug_id": 1357238, "comment": {"karma": 0, "karma_critpath": 0, "text": "Comment from upstream (quoted with permission):\n<gps> FYI: There will likely be a lighttpd 1.4.41 release at end of July, and that includes everything on master.  There will also need to be a fix for http://redmine.lighttpd.net/issues/2738, which is not yet on master.", "timestamp": "2016-07-21 17:17:11", "update_id": 62962, "user_id": 362, "id": 462172, "testcase_feedback": [], "user": {"name": "avij", "email": "rhbugs@miuku.net", "id": 362, "avatar": "https://seccdn.libravatar.org/avatar/074523ceead6e81c550613e6e97dcf90da56f4b8d3395a1841fc4e708f66319e?s=24&d=retro", "openid": "avij.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 462174, "bug_id": 1357238, "comment": {"karma": 0, "karma_critpath": 0, "text": "Ok, I'll get the patch for FIN_WAIT2 out as well.", "timestamp": "2016-07-21 17:54:58", "update_id": 62962, "user_id": 134, "id": 462174, "testcase_feedback": [], "user": {"name": "limb", "email": "gwync@protonmail.com", "id": 134, "avatar": "https://seccdn.libravatar.org/avatar/620da77fd218195ab689baa12f7235abc3b46837d32e695752381cc8df44c568?s=24&d=retro", "openid": "limb.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "releng-team"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "sysadmin"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-devel"}, {"name": "sysadmin-cvs"}, {"name": "packaging-committee"}, {"name": "libreoffice-sig"}]}}}, {"karma": 1, "comment_id": 466466, "bug_id": 1357238, "comment": {"karma": 1, "karma_critpath": 0, "text": "No problems encountered so far.", "timestamp": "2016-08-03 06:47:48", "update_id": 63673, "user_id": 362, "id": 466466, "testcase_feedback": [], "user": {"name": "avij", "email": "rhbugs@miuku.net", "id": 362, "avatar": "https://seccdn.libravatar.org/avatar/074523ceead6e81c550613e6e97dcf90da56f4b8d3395a1841fc4e708f66319e?s=24&d=retro", "openid": "avij.id.fedoraproject.org", "groups": []}}}]}, {"bug_id": 1360640, "title": "CVE-2016-1000212 lighttpd: sets environmental variable based on user supplied Proxy request header [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 1, "comment_id": 466466, "bug_id": 1360640, "comment": {"karma": 1, "karma_critpath": 0, "text": "No problems encountered so far.", "timestamp": "2016-08-03 06:47:48", "update_id": 63673, "user_id": 362, "id": 466466, "testcase_feedback": [], "user": {"name": "avij", "email": "rhbugs@miuku.net", "id": 362, "avatar": "https://seccdn.libravatar.org/avatar/074523ceead6e81c550613e6e97dcf90da56f4b8d3395a1841fc4e708f66319e?s=24&d=retro", "openid": "avij.id.fedoraproject.org", "groups": []}}}]}, {"bug_id": 1360641, "title": "CVE-2016-1000212 lighttpd: sets environmental variable based on user supplied Proxy request header [epel-all]", "security": true, "parent": false, "feedback": [{"karma": 1, "comment_id": 466466, "bug_id": 1360641, "comment": {"karma": 1, "karma_critpath": 0, "text": "No problems encountered so far.", "timestamp": "2016-08-03 06:47:48", "update_id": 63673, "user_id": 362, "id": 466466, "testcase_feedback": [], "user": {"name": "avij", "email": "rhbugs@miuku.net", "id": 362, "avatar": "https://seccdn.libravatar.org/avatar/074523ceead6e81c550613e6e97dcf90da56f4b8d3395a1841fc4e708f66319e?s=24&d=retro", "openid": "avij.id.fedoraproject.org", "groups": []}}}]}], "updateid": "FEDORA-EPEL-2016-dbaaa35f43", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}