Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200812-04 ] lighttpd: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1471

PostPosted: Tue Dec 02, 2008 9:26 pm    Post subject: [ GLSA 200812-04 ] lighttpd: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: lighttpd: Multiple vulnerabilities (GLSA 200812-04)
Severity: normal
Exploitable: remote
Date: December 02, 2008
Bug(s): #238180
ID: 200812-04

Synopsis

Multiple vulnerabilities in lighttpd may lead to information disclosure or a Denial of Service.

Background

lighttpd is a lightweight high-performance web server.

Affected Packages

Package: www-servers/lighttpd
Vulnerable: < 1.4.20
Unaffected: >= 1.4.20
Architectures: All supported architectures


Description

Multiple vulnerabilities have been reported in lighttpd:
  • Qhy reported a memory leak in the http_request_parse() function in request.c (CVE-2008-4298).
  • Gaetan Bisson reported that URIs are not decoded before applying url.redirect and url.rewrite rules (CVE-2008-4359).
  • Anders1 reported that mod_userdir performs case-sensitive comparisons on filename components in configuration options, which is insufficient when case-insensitive filesystems are used (CVE-2008-4360).


Impact

A remote attacker could exploit these vulnerabilities to cause a Denial of Service, to bypass intended access restrictions, to obtain sensitive information, or to possibly modify data.

Workaround

There is no known workaround at this time.

Resolution

All lighttpd users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.20"


References

CVE-2008-4298
CVE-2008-4359
CVE-2008-4360
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum