Multiple vulnerabilities have been reported in lighttpd:
* Qhy reported a memory leak in the http_request_parse() function in
request.c (CVE-2008-4298).
* Gaetan Bisson reported that URIs are not decoded before applying
url.redirect and url.rewrite rules (CVE-2008-4359).
* Anders1 reported that mod_userdir performs case-sensitive
comparisons on filename components in configuration options, which is
insufficient when case-insensitive filesystems are used
(CVE-2008-4360).
Impact
======
A remote attacker could exploit these vulnerabilities to cause a Denial
of Service, to bypass intended access restrictions, to obtain sensitive
information, or to possibly modify data.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All lighttpd users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200812-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: lighttpd: Multiple vulnerabilities
Date: December 02, 2008
Bugs: #238180
ID: 200812-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in lighttpd may lead to information disclosure
or a Denial of Service.
Background
==========
lighttpd is a lightweight high-performance web server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/lighttpd < 1.4.20 >= 1.4.20
Description
===========
Multiple vulnerabilities have been reported in lighttpd:
* Qhy reported a memory leak in the http_request_parse() function in
request.c (CVE-2008-4298).
* Gaetan Bisson reported that URIs are not decoded before applying
url.redirect and url.rewrite rules (CVE-2008-4359).
* Anders1 reported that mod_userdir performs case-sensitive
comparisons on filename components in configuration options, which is
insufficient when case-insensitive filesystems are used
(CVE-2008-4360).
Impact
======
A remote attacker could exploit these vulnerabilities to cause a Denial
of Service, to bypass intended access restrictions, to obtain sensitive
information, or to possibly modify data.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All lighttpd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.20"
References
==========
[ 1 ] CVE-2008-4298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298
[ 2 ] CVE-2008-4359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359
[ 3 ] CVE-2008-4360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200812-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJJNXFWAAoJECaaHo/OfoM5ZwwP/24V419TmAYxw0tbcglIKqde
9hfprTv2vCUhzla1pYSS5Kw3kuU9KSV7+ORsQu+YeN555W3HHz7gqi0j+pchaTFx
CKugdoxSRlCo6qqMfAct53vqM7xBqei+VBwwpmsMd4nu43u/ltEWAZpdGK292YhG
6WJSrcg1aBoIyg0SYMJH1pb/WxI+F3R0xfFQC2dETif9lNFLU9cOpran9jQ7TkQd
pNh76d2axoktWQH+V4i97ftI+MkjO0eI2p6p3G+jAsXikZo5Y7ep2ObLpGmm/Lgj
lZG82h6m6Wp2Q87MWfHg2cXT48N9c428sFAypeophxvfagTnMl1cqRQa2XHv+bKC
0cDXa3ZKdwoMkQ/jVLN0l3AGu37evwitUgc1S6twtmGNOvz3BCytKfIUqQ6xzryy
bCH2X1twvNuBSD7mSKI18q7/XTzQf+GESZfM6Eouu5N+VQBjH+ysv60DMf+Z2QNG
s8WPTA8nTLFFcdSpWUfkMr79AKtaJl8s1Gl5ggxfGn8zE0SQLY3EFTgzoaGNJvoC
eVwJPglqfARzHAqhOAXNpBIpd0NfWNAIeWFar2TB+x/Qh1beWraCD4iJSNrts0/1
q+vi2sAfV1H3TBXe/6+yDsNZ5lC9cRkJFic16SR+wWsxcExQ1S3QopCXtopnqCaA
HT+k+rZp64rQkm00ccXq
=1vkq
-----END PGP SIGNATURE-----
[ reply ]