[SECURITY] [DLA 3133-1] lighttpd security update

2022-10-0307:47:47

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

50.5%

JSON

Debian LTS Advisory DLA-3133-1 [email protected]
https://www.debian.org/lts/security/ Helmut Grohne
October 03, 2022 https://wiki.debian.org/LTS

Package : lighttpd
Version : 1.4.53-4+deb10u3
CVE ID : CVE-2022-37797

An invalid HTTP request (websocket handshake) may cause a NULL
pointer dereference in the wstunnel module.

For Debian 10 buster, this problem has been fixed in version
1.4.53-4+deb10u3.

We recommend that you upgrade your lighttpd packages.

For the detailed security status of lighttpd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lighttpd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian11armhflighttpd-mod-nss< 1.4.59-1+deb11u2lighttpd-mod-nss_1.4.59-1+deb11u2_armhf.deb
Debian11mips64ellighttpd-mod-deflate-dbgsym< 1.4.59-1+deb11u2lighttpd-mod-deflate-dbgsym_1.4.59-1+deb11u2_mips64el.deb
Debian11mips64ellighttpd-mod-cml< 1.4.59-1+deb11u2lighttpd-mod-cml_1.4.59-1+deb11u2_mips64el.deb
Debian10amd64lighttpd-mod-authn-gssapi< 1.4.53-4+deb10u3lighttpd-mod-authn-gssapi_1.4.53-4+deb10u3_amd64.deb
Debian10amd64lighttpd-modules-mysql< 1.4.53-4+deb10u3lighttpd-modules-mysql_1.4.53-4+deb10u3_amd64.deb
Debian11arm64lighttpd-modules-dbi< 1.4.59-1+deb11u2lighttpd-modules-dbi_1.4.59-1+deb11u2_arm64.deb
Debian11armellighttpd-modules-ldap-dbgsym< 1.4.59-1+deb11u2lighttpd-modules-ldap-dbgsym_1.4.59-1+deb11u2_armel.deb
Debian11amd64lighttpd-dbgsym< 1.4.59-1+deb11u2lighttpd-dbgsym_1.4.59-1+deb11u2_amd64.deb
Debian11armhflighttpd-mod-openssl< 1.4.59-1+deb11u2lighttpd-mod-openssl_1.4.59-1+deb11u2_armhf.deb
Debian11amd64lighttpd-modules-lua-dbgsym< 1.4.59-1+deb11u2lighttpd-modules-lua-dbgsym_1.4.59-1+deb11u2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	armhf	lighttpd-mod-nss	< 1.4.59-1+deb11u2	lighttpd-mod-nss_1.4.59-1+deb11u2_armhf.deb
Debian	11	mips64el	lighttpd-mod-deflate-dbgsym	< 1.4.59-1+deb11u2	lighttpd-mod-deflate-dbgsym_1.4.59-1+deb11u2_mips64el.deb
Debian	11	mips64el	lighttpd-mod-cml	< 1.4.59-1+deb11u2	lighttpd-mod-cml_1.4.59-1+deb11u2_mips64el.deb
Debian	10	amd64	lighttpd-mod-authn-gssapi	< 1.4.53-4+deb10u3	lighttpd-mod-authn-gssapi_1.4.53-4+deb10u3_amd64.deb
Debian	10	amd64	lighttpd-modules-mysql	< 1.4.53-4+deb10u3	lighttpd-modules-mysql_1.4.53-4+deb10u3_amd64.deb
Debian	11	arm64	lighttpd-modules-dbi	< 1.4.59-1+deb11u2	lighttpd-modules-dbi_1.4.59-1+deb11u2_arm64.deb
Debian	11	armel	lighttpd-modules-ldap-dbgsym	< 1.4.59-1+deb11u2	lighttpd-modules-ldap-dbgsym_1.4.59-1+deb11u2_armel.deb
Debian	11	amd64	lighttpd-dbgsym	< 1.4.59-1+deb11u2	lighttpd-dbgsym_1.4.59-1+deb11u2_amd64.deb
Debian	11	armhf	lighttpd-mod-openssl	< 1.4.59-1+deb11u2	lighttpd-mod-openssl_1.4.59-1+deb11u2_armhf.deb
Debian	11	amd64	lighttpd-modules-lua-dbgsym	< 1.4.59-1+deb11u2	lighttpd-modules-lua-dbgsym_1.4.59-1+deb11u2_amd64.deb