lighttpd -- multiple vulnerabilities

2013-11-28T00:00:00
ID 90B27045-9530-11E3-9D09-000C2980A9F3
Type freebsd
Reporter FreeBSD
Modified 2013-11-28T00:00:00

Description

lighttpd security advisories report:

It is possible to inadvertantly enable vulnerable ciphers when using ssl.cipher-list.

In certain cases setuid() and similar can fail, potentially triggering lighttpd to restart running as root.

If FAMMonitorDirectory fails, the memory intended to store the context is released; some lines below the "version" compoment of that context is read. Reading invalid data doesn't matter, but the memory access could trigger a segfault.