Yesterday I filed Lighttpd bug #217 explaining the critical failure I have been experiencing on OpenBSD/Lighttpd wherein HTTPS would fail to transfer more than first 16KB of data.
Within 10-minutes of submitting the bug, a second person confirmed the bug on OpenBSD.
12-hours later, the bug was fixed and already rolled into this morning's Lighttpd 1.4.1 release.
The SSL bug is that Lighttpd was relying on typical memory mapping behavior which has been randomized in OpenBSD to avoid low-level bugs that would traditionally go undetected.
OpenBSD's proactive security practices are boldly moving forward with the pending release of OpenBSD 3.8.
The OpenBSD project is bringing to light the low-level bugs in UNIX software. These "silent bugs", which may lurk with hidden vulnerabilities for years, can be found and removed through contributions within the open-source community.
This is open-source at it's finest! Cheers to Jan & the Lighttpd developers for a sweet web server and to the OpenBSD crew for doing it right!
Updated: Tuesday, 23rd August 2005 with OpenBSD project information.
Leave a Reply