lighttpd - various problems

2008-10-0600:00:00

Google

osv.dev

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2008-4298
A memory leak in the http_request_parse function could be used by
remote attackers to cause lighttpd to consume memory, and cause a
denial of service attack.
CVE-2008-4359
Inconsistant handling of URL patterns could lead to the disclosure
of resources a server administrator did not anticipate when using
rewritten URLs.
CVE-2008-4360
Upon filesystems which don’t handle case-insensitive paths differently
it might be possible that unanticipated resources could be made available
by mod_userdir.

For the stable distribution (etch), these problems have been fixed in version
1.4.13-4etch11.

For the unstable distribution (sid), these problems will be fixed shortly.

We recommend that you upgrade your lighttpd package.

CPENameOperatorVersion
lighttpdeq1.4.13-4etch1
lighttpdeq1.4.13-4etch9
lighttpdeq1.4.13-4etch8
lighttpdeq1.4.13-4etch7
lighttpdeq1.4.13-4
lighttpdeq1.4.13-4etch5
lighttpdeq1.4.13-4etch3
lighttpdeq1.4.13-4etch6
lighttpdeq1.4.13-4etch10
lighttpdeq1.4.13-4etch2

Name	Operator	Version
lighttpd	eq	1.4.13-4etch1
lighttpd	eq	1.4.13-4etch9
lighttpd	eq	1.4.13-4etch8
lighttpd	eq	1.4.13-4etch7
lighttpd	eq	1.4.13-4
lighttpd	eq	1.4.13-4etch5
lighttpd	eq	1.4.13-4etch3
lighttpd	eq	1.4.13-4etch6
lighttpd	eq	1.4.13-4etch10
lighttpd	eq	1.4.13-4etch2