Description:
Previous versions of the lighttpd package are vulnerable to a remote
Denial of Service attack in which the termination of one SSL connection
may cause another concurrent SSL connection to terminate prematurely.
lighttpd is not installed by default on rPath Linux systems, and no
default configuration file is provided; only systems customized to
include and configure lighttpd are vulnerable.
Appliances built with rPath Appliance Platform Agent 2 use lighttpd and
are vulnerable to this denial of service attack. All appliances built
using rPath Appliance Platform Agent 2 should be updated to include the
latest release of lighttpd.
http://wiki.rpath.com/Advisories:rPSA-2008-0132
Copyright 2008 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
{"id": "SECURITYVULNS:DOC:19540", "bulletinFamily": "software", "title": "rPSA-2008-0132-1 lighttpd", "description": "rPath Security Advisory: 2008-0132-1\r\nPublished: 2008-03-31\r\nProducts:\r\n rPath Linux 1\r\n\r\nRating: Major\r\nExposure Level Classification:\r\n Remote Deterministic Denial of Service\r\nUpdated Versions:\r\n lighttpd=conary.rpath.com@rpl:1/1.4.18-0.5-1\r\n\r\nrPath Issue Tracking System:\r\n https://issues.rpath.com/browse/RPL-2407\r\n\r\nReferences:\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1531\r\n\r\nDescription:\r\n Previous versions of the lighttpd package are vulnerable to a remote\r\n Denial of Service attack in which the termination of one SSL connection\r\n may cause another concurrent SSL connection to terminate prematurely.\r\n \r\n lighttpd is not installed by default on rPath Linux systems, and no\r\n default configuration file is provided; only systems customized to\r\n include and configure lighttpd are vulnerable.\r\n \r\n Appliances built with rPath Appliance Platform Agent 2 use lighttpd and\r\n are vulnerable to this denial of service attack. All appliances built\r\n using rPath Appliance Platform Agent 2 should be updated to include the\r\n latest release of lighttpd.\r\n\r\nhttp://wiki.rpath.com/Advisories:rPSA-2008-0132\r\n\r\nCopyright 2008 rPath, Inc.\r\nThis file is distributed under the terms of the MIT License.\r\nA copy is available at http://www.rpath.com/permanent/mit-license.html", "published": "2008-04-01T00:00:00", "modified": "2008-04-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19540", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2008-1531"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:25", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2018-08-31T11:10:25", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-1531"]}, {"type": "openvas", "idList": ["OPENVAS:61364", "OPENVAS:860205", "OPENVAS:60808", "OPENVAS:60786", "OPENVAS:860849", "OPENVAS:860683", "OPENVAS:60793", "OPENVAS:60834"]}, {"type": "freebsd", "idList": ["1AC77649-0908-11DD-974D-000FEA2763CE"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8849"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1540-3:02F0A", "DEBIAN:DSA-1540-2:C5E42", "DEBIAN:DSA-1540-1:A7A75"]}, {"type": "seebug", "idList": ["SSV:3182"]}, {"type": "nessus", "idList": ["FEDORA_2008-3343.NASL", "FEDORA_2008-4119.NASL", "SUSE_LIGHTTPD-5216.NASL", "LIGHTTPD_1_4_20.NASL", "FEDORA_2008-3376.NASL", "FREEBSD_PKG_1AC77649090811DD974D000FEA2763CE.NASL", "GENTOO_GLSA-200804-08.NASL", "DEBIAN_DSA-1540.NASL"]}, {"type": "fedora", "idList": ["FEDORA:M4HMRUMQ016877", "FEDORA:M3TL8N73030514", "FEDORA:M3TLCX57031009"]}, {"type": "gentoo", "idList": ["GLSA-200804-08"]}], "modified": "2018-08-31T11:10:25", "rev": 2}, "vulnersScore": 5.6}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-12-09T19:28:21", "description": "The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.", "edition": 5, "cvss3": {}, "published": "2008-03-27T23:44:00", "title": "CVE-2008-1531", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1531"], "modified": "2018-10-31T19:23:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "cpe:/a:lighttpd:lighttpd:1.4.19"], "id": "CVE-2008-1531", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1531", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:lighttpd:lighttpd:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-25T10:55:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "description": "Check for the Version of lighttpd", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860205", "href": "http://plugins.openvas.org/nasl.php?oid=860205", "type": "openvas", "title": "Fedora Update for lighttpd FEDORA-2008-4119", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2008-4119\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Secure, fast, compliant and very flexible web-server which has been optimized\n for high-performance environments. It has a very low memory footprint compared\n to other webservers and takes care of cpu-load. Its advanced feature-set\n (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make\n it the perfect webserver-software for every server that is suffering load\n problems.\n\n Available rpmbuild rebuild options :\n --with : gamin webdavprops webdavlocks memcache\n --without : ldap gdbm lua (cml)\";\n\ntag_affected = \"lighttpd on Fedora 9\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00435.html\");\n script_id(860205);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:47:15 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-4119\");\n script_cve_id(\"CVE-2008-1531\");\n script_name( \"Fedora Update for lighttpd FEDORA-2008-4119\");\n\n script_summary(\"Check for the Version of lighttpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.19~4.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "description": "The remote host is missing an update to lighttpd\nannounced via advisory DSA 1540-3.", "modified": "2017-07-07T00:00:00", "published": "2008-08-15T00:00:00", "id": "OPENVAS:61364", "href": "http://plugins.openvas.org/nasl.php?oid=61364", "type": "openvas", "title": "Debian Security Advisory DSA 1540-3 (lighttpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1540_3.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1540-3 (lighttpd)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"This update fixes a regression in lighttpd introduced in DSA-1540,\ncausing SSL failures. For reference the original advisory text is\nquoted below.\n\nIt was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, was didn't correctly handle SSL errors. This could allow\na remote attacker to disconnect all active SSL connections.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 1.4.13-4etch10.\n\nWe recommend that you upgrade your lighttpd package.\";\ntag_summary = \"The remote host is missing an update to lighttpd\nannounced via advisory DSA 1540-3.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201540-3\";\n\n\nif(description)\n{\n script_id(61364);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-08-15 15:52:52 +0200 (Fri, 15 Aug 2008)\");\n script_cve_id(\"CVE-2008-1531\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 1540-3 (lighttpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.13-4etch10\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "description": "The remote host is missing an update to lighttpd\nannounced via advisory DSA 1540-1.", "modified": "2017-07-07T00:00:00", "published": "2008-04-21T00:00:00", "id": "OPENVAS:60786", "href": "http://plugins.openvas.org/nasl.php?oid=60786", "type": "openvas", "title": "Debian Security Advisory DSA 1540-1 (lighttpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1540_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1540-1 (lighttpd)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, was didn't correctly handle SSL errors. This could allow\na remote attacker to disconnect all active SSL connections.\n\nFor the stable distribution (etch), this problem has been fixed in version\n1.4.13-4etch7.\n\nWe recommend that you upgrade your lighttpd package.\";\ntag_summary = \"The remote host is missing an update to lighttpd\nannounced via advisory DSA 1540-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201540-1\";\n\n\nif(description)\n{\n script_id(60786);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-04-21 20:40:14 +0200 (Mon, 21 Apr 2008)\");\n script_cve_id(\"CVE-2008-1531\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 1540-1 (lighttpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.13-4etch7\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "description": "The remote host is missing an update to lighttpd\nannounced via advisory DSA 1540-2.", "modified": "2017-07-07T00:00:00", "published": "2008-04-21T00:00:00", "id": "OPENVAS:60793", "href": "http://plugins.openvas.org/nasl.php?oid=60793", "type": "openvas", "title": "Debian Security Advisory DSA 1540-2 (lighttpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1540_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1540-2 (lighttpd)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, was didn't correctly handle SSL errors. This could allow\na remote attacker to disconnect all active SSL connections.\n\nThis security update fixes a regression in the previous one, which caused\nSSL failures.\n\nFor the stable distribution (etch), this problem has been fixed in version\n1.4.13-4etch8.\n\nWe recommend that you upgrade your lighttpd package.\";\ntag_summary = \"The remote host is missing an update to lighttpd\nannounced via advisory DSA 1540-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201540-2\";\n\n\nif(description)\n{\n script_id(60793);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-04-21 20:40:14 +0200 (Mon, 21 Apr 2008)\");\n script_cve_id(\"CVE-2008-1531\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 1540-2 (lighttpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.13-4etch8\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-22T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:60834", "href": "http://plugins.openvas.org/nasl.php?oid=60834", "type": "openvas", "title": "FreeBSD Ports: lighttpd", "sourceData": "#\n#VID 1ac77649-0908-11dd-974d-000fea2763ce\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: lighttpd\n\nCVE-2008-1531\nThe connection_state_machine function (connections.c) in lighttpd\n1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to\ncause a denial of service (active SSL connection loss) by triggering\nan SSL error, such as disconnecting before a download has finished,\nwhich causes all active SSL connections to be lost.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/29649\nhttp://trac.lighttpd.net/trac/ticket/285\nhttp://www.vuxml.org/freebsd/1ac77649-0908-11dd-974d-000fea2763ce.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(60834);\n script_version(\"$Revision: 4128 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-22 07:37:51 +0200 (Thu, 22 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2008-1531\");\n script_bugtraq_id(28489);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"FreeBSD Ports: lighttpd\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"lighttpd\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.4.19_1\")<0) {\n txt += 'Package lighttpd version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531", "CVE-2008-1270"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200804-08.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:60808", "href": "http://plugins.openvas.org/nasl.php?oid=60808", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200804-08 (lighttpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in lighttpd may lead to information disclosure or\na Denial of Service.\";\ntag_solution = \"All lighttpd users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.19-r2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200804-08\nhttp://bugs.gentoo.org/show_bug.cgi?id=212930\nhttp://bugs.gentoo.org/show_bug.cgi?id=214892\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200804-08.\";\n\n \n\nif(description)\n{\n script_id(60808);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2008-1270\", \"CVE-2008-1531\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Gentoo Security Advisory GLSA 200804-08 (lighttpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"www-servers/lighttpd\", unaffected: make_list(\"ge 1.4.19-r2\"), vulnerable: make_list(\"lt 1.4.19-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531", "CVE-2008-1111", "CVE-2008-0983"], "description": "Check for the Version of lighttpd", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860683", "href": "http://plugins.openvas.org/nasl.php?oid=860683", "type": "openvas", "title": "Fedora Update for lighttpd FEDORA-2008-3343", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2008-3343\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Secure, fast, compliant and very flexible web-server which has been optimized\n for high-performance environments. It has a very low memory footprint compared\n to other webservers and takes care of cpu-load. Its advanced feature-set\n (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make\n it the perfect webserver-software for every server that is suffering load\n problems.\n\n Available rpmbuild rebuild options :\n --with : gamin webdavprops webdavlocks memcache\n --without : ldap gdbm lua (cml)\";\n\ntag_affected = \"lighttpd on Fedora 7\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html\");\n script_id(860683);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:43:56 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-3343\");\n script_cve_id(\"CVE-2008-0983\", \"CVE-2008-1111\", \"CVE-2008-1531\");\n script_name( \"Fedora Update for lighttpd FEDORA-2008-3343\");\n\n script_summary(\"Check for the Version of lighttpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.19~4.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:57:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531", "CVE-2008-1111", "CVE-2008-0983"], "description": "Check for the Version of lighttpd", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860849", "href": "http://plugins.openvas.org/nasl.php?oid=860849", "type": "openvas", "title": "Fedora Update for lighttpd FEDORA-2008-3376", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2008-3376\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Secure, fast, compliant and very flexible web-server which has been optimized\n for high-performance environments. It has a very low memory footprint compared\n to other webservers and takes care of cpu-load. Its advanced feature-set\n (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make\n it the perfect webserver-software for every server that is suffering load\n problems.\n\n Available rpmbuild rebuild options :\n --with : gamin webdavprops webdavlocks memcache\n --without : ldap gdbm lua (cml)\";\n\ntag_affected = \"lighttpd on Fedora 8\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html\");\n script_id(860849);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:43:56 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-3376\");\n script_cve_id(\"CVE-2008-0983\", \"CVE-2008-1111\", \"CVE-2008-1531\");\n script_name( \"Fedora Update for lighttpd FEDORA-2008-3376\");\n\n script_summary(\"Check for the Version of lighttpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.19~4.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1531"], "description": "\nSecunia reports:\n\nA vulnerability has been reported in lighttpd, which can be\n\t exploited by malicious people to cause a DoS (Denial of\n\t Service).\nThe vulnerability is caused due to lighttpd not properly clearing\n\t the OpenSSL error queue. This can be exploited to close concurrent\n\t SSL connections of lighttpd by terminating one SSL connection.\n\n", "edition": 4, "modified": "2008-04-02T00:00:00", "published": "2008-04-02T00:00:00", "id": "1AC77649-0908-11DD-974D-000FEA2763CE", "href": "https://vuxml.freebsd.org/freebsd/1ac77649-0908-11dd-974d-000fea2763ce.html", "title": "lighttpd -- OpenSSL Error Queue Denial of Service Vulnerability", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "cvelist": ["CVE-2008-1531"], "description": "Termination of one SSL connection may cause another concurrent SSL connection to terminate.", "edition": 1, "modified": "2008-04-01T00:00:00", "published": "2008-04-01T00:00:00", "id": "SECURITYVULNS:VULN:8849", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8849", "title": "lighthttpd SSL DoS", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2020-11-11T13:21:18", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1531"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1540-2 security@debian.org\nhttp://www.debian.org/security/ Steve Kemp\nApril 15, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : lighttpd\nVulnerability : DOS\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1531\n\nIt was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, was didn't correctly handle SSL errors. This could allow\na remote attacker to disconnect all active SSL connections.\n\nThis security update fixes a regression in the previous one, which caused\nSSL failures.\n\nFor the stable distribution (etch), this problem has been fixed in version\n1.4.13-4etch8.\n\nWe recommend that you upgrade your lighttpd package.\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz\n Size/MD5 checksum: 37420 89efdab79fcbac119000a64cab648fcd\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz\n Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc\n Size/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb\n Size/MD5 checksum: 99618 ae68b64b7c0df0f0b3a9d19b87e7c40a\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb\n Size/MD5 checksum: 297300 19f5b871d2a9a483e1ecdaa2325c45cb\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb\n Size/MD5 checksum: 63586 750cf5f5d7671986b195366f2335c9cc\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb\n Size/MD5 checksum: 63884 72ee2b52772010ae7c63a0a2b4761ff5\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb\n Size/MD5 checksum: 59138 45672a1a3af65311693a3aee58be5566\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb\n Size/MD5 checksum: 69890 b84d4ea8c9af282e2aeeb5c05847a95a\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb\n Size/MD5 checksum: 60742 f48ef372b71be1b2683d03b411c7e7cf\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb\n Size/MD5 checksum: 59896 60a4e61e9b5e2bafbf53474d677b36bb\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb\n Size/MD5 checksum: 323946 642f46921f99dfdf8e52ed3777847cbc\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb\n Size/MD5 checksum: 61890 4feb260d9f611c26979872b49b09ebc1\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb\n Size/MD5 checksum: 65000 2ce28ddd20bcd1bf407e14bae053537b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb\n Size/MD5 checksum: 72946 33c93c114c3807d63bb18a5a9b3f33b9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb\n Size/MD5 checksum: 65520 82a4460351af3d4c8b9d84ec831bd006\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb\n Size/MD5 checksum: 63884 96876134f02cf6b3c5079d5deecca7d9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb\n Size/MD5 checksum: 59086 f928fd96f37229e72661fa7140a0daa9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb\n Size/MD5 checksum: 289088 477ce333d4a1b9f506645ff22193191f\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb\n Size/MD5 checksum: 70932 90cd2be30fb0f0e0ff97820e1b8c19f1\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb\n Size/MD5 checksum: 63690 f5c320e1f272a52ec9354b27f5c36082\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb\n Size/MD5 checksum: 60846 0f30b9acbc10ec2c648edf19b8e41178\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb\n Size/MD5 checksum: 67508 8d853ada8818a91fa022e0dd52c19edf\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb\n Size/MD5 checksum: 63054 22a7de81eb0ec31a95632eb555a888c1\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb\n Size/MD5 checksum: 77062 04cffb6683e4a3c92f5f48e8d2df5dd8\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb\n Size/MD5 checksum: 67366 0f9272c16ab8cf4e75129f5a3eaa5d71\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb\n Size/MD5 checksum: 403358 aefa2c83a3baf3ee9ae8ba1c6629e22e\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb\n Size/MD5 checksum: 61176 ea0d6334ab0904bddbbe9cf90a72ba9e\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb\n Size/MD5 checksum: 62658 8799ed08b706281b21814f559f858be9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb\n Size/MD5 checksum: 58572 7520f8302f2e0cb1ceed528d01c1aea7\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb\n Size/MD5 checksum: 62526 c75ac1e607ebcbc95ed03e8adb088dec\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb\n Size/MD5 checksum: 296088 f05c1b65de0bb165c1fa8ef749c1f60c\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb\n Size/MD5 checksum: 59960 76b2266c789cad50fae1d751cc2be88c\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb\n Size/MD5 checksum: 69236 61394a59d58c8f5f5c721a4085fee51e\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb\n Size/MD5 checksum: 59282 56363403b07fd8bb4ec4628c4607cd8b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb\n Size/MD5 checksum: 63368 f8378c36175b9b3f87f038f45cad5e4d\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb\n Size/MD5 checksum: 70020 e7b073ea24c3de3404f69ad8dbdd43df\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb\n Size/MD5 checksum: 60762 cdb8770285645d0ea048b02fb866f63a\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb\n Size/MD5 checksum: 63542 c5a4b5467b6917a7065e1ef6a57fd3a2\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb\n Size/MD5 checksum: 297260 1d3b8cac9795b18e231e5f99a25d9f3b\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb\n Size/MD5 checksum: 71762 4465577bc817611ca87c7f21bc0d2642\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb\n Size/MD5 checksum: 65390 ac39f8d16559e8a4e8bd09a274c58895\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb\n Size/MD5 checksum: 65114 844e63058ca4968673e652684c37c309\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb\n Size/MD5 checksum: 323818 11066e5afd416b95a825212056d6d493\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb\n Size/MD5 checksum: 62462 4eeb054f0838cd87f8ff21b798dd1110\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb\n Size/MD5 checksum: 60644 0b547baa6b634ee3e606f58a1b503f26\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb\n Size/MD5 checksum: 307236 828090c5177429f28bdfcdc653aff701\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb\n Size/MD5 checksum: 64244 df43829d7d3a6cb956444e6c4123af6f\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb\n Size/MD5 checksum: 59580 f2d8a504078229d6a9c90ca2312736f2\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb\n Size/MD5 checksum: 61082 c73356530cb3936b5eaf0fa09b941bff\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb\n Size/MD5 checksum: 71368 15a98ad24b35b3a4461748b31d2408a7\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb\n Size/MD5 checksum: 64632 2e037627c148aaa336465a89f9b6cc99\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2008-04-15T18:42:39", "published": "2008-04-15T18:42:39", "id": "DEBIAN:DSA-1540-2:C5E42", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00117.html", "title": "[SECURITY] [DSA 1540-2] New lighttpd packages fix denial of service", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-11T13:19:06", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1531"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1540-3 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nJuly 23, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : lighttpd\nVulnerability : denial of service\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1531\n\nThis update fixes a regression in lighttpd introduced in DSA-1540,\ncausing SSL failures. For reference the original advisory text is\nquoted below.\n\nIt was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, was didn't correctly handle SSL errors. This could allow\na remote attacker to disconnect all active SSL connections.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 1.4.13-4etch10.\n\nWe recommend that you upgrade your lighttpd package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.diff.gz\n Size/MD5 checksum: 36023 5421eda86388cddf30348ee39c8b2059\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz\n Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.dsc\n Size/MD5 checksum: 1392 6011ac4224ab8ff0c1c9355f30ab11a9\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch10_all.deb\n Size/MD5 checksum: 100096 416759ae3a223ab799bbc7b264329600\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_alpha.deb\n Size/MD5 checksum: 319874 0b138412935fb92f57bf968d075a05c1\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_alpha.deb\n Size/MD5 checksum: 64968 5357d1c9aad4f5f5c03016d708670164\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_alpha.deb\n Size/MD5 checksum: 65408 03933a616584ab63c0e59e652856b99c\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_alpha.deb\n Size/MD5 checksum: 60148 8ed6ab0f02706ba339813f160cac356d\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_alpha.deb\n Size/MD5 checksum: 61924 7171b0c3a9542b33a73b38e9b2ac516d\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_alpha.deb\n Size/MD5 checksum: 71890 3d4973ba1c5e8d4938a35f7247e1cdbf\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_amd64.deb\n Size/MD5 checksum: 70182 7ab5aa294cc9a9949ec81c850dddafee\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_amd64.deb\n Size/MD5 checksum: 60978 961bc12a093309e50684188b2e948461\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_amd64.deb\n Size/MD5 checksum: 64116 c745249a7e7e42d0abdd3c7761ffb086\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_amd64.deb\n Size/MD5 checksum: 59368 aceae8b5e32229cf22de3d3b34344ba9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_amd64.deb\n Size/MD5 checksum: 297762 f6cf537e673702bc7f801a697368a5bc\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_amd64.deb\n Size/MD5 checksum: 63822 9345b068868eb6209ec440d58ce86c55\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_arm.deb\n Size/MD5 checksum: 286920 d13637f537de06b137194407064ac0a9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_arm.deb\n Size/MD5 checksum: 69928 a3f8604454dcdd7c7b8ae9f11302e833\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_arm.deb\n Size/MD5 checksum: 61044 773180da5b9fc10d1d9d2dd414249ff5\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_arm.deb\n Size/MD5 checksum: 58916 c794ba700e98dacb27bab69f64c9e149\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_arm.deb\n Size/MD5 checksum: 63308 5e657e92c3da9916dbbaee9c4a03f018\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_arm.deb\n Size/MD5 checksum: 63104 08e2941228b962c26c3a32bf0e86d32a\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_hppa.deb\n Size/MD5 checksum: 60160 69f1cd388dd12927944a18bc13ac2bfd\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_hppa.deb\n Size/MD5 checksum: 65266 01e1a4431148a150b7f9d8a7686c00f2\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_hppa.deb\n Size/MD5 checksum: 62150 0330b4725c3f6d0c3cd75c52d568a555\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_hppa.deb\n Size/MD5 checksum: 65772 cd104584c07c3a20e476c4ab2bc16031\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_hppa.deb\n Size/MD5 checksum: 73212 53e4b9752c555a2fd0b415d37f62c3f0\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_hppa.deb\n Size/MD5 checksum: 324330 2d95d0da6c2b87dbf0b985eb1ab8f807\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_i386.deb\n Size/MD5 checksum: 285396 caed89abf2b41aa96f854f391eeab7dd\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_i386.deb\n Size/MD5 checksum: 64088 8747d075d8b21d458e54cd08fa7e02b1\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_i386.deb\n Size/MD5 checksum: 59226 71056ae49ca30f121a53196e801a6909\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_i386.deb\n Size/MD5 checksum: 60962 a5f38b66f5375006217d89e7dd0290be\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_i386.deb\n Size/MD5 checksum: 63880 f5d9d6d0df4bde78a971363fcd91bd2e\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_i386.deb\n Size/MD5 checksum: 71204 4b26fd15200ef37037762c2f48d58ca1\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_ia64.deb\n Size/MD5 checksum: 61422 0c2d54f7b9b8aa11899ef4a3e312690e\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_ia64.deb\n Size/MD5 checksum: 63300 8fbe3eb055b99f3834b2dfb58f7ff070\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_ia64.deb\n Size/MD5 checksum: 67756 a5c0845befc3de72d9e2289e90384f64\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_ia64.deb\n Size/MD5 checksum: 77322 091bff45fac447c7bd5288c6cdf56b20\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_ia64.deb\n Size/MD5 checksum: 67606 b1325f224d1b54eb65f2125e98e82424\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_ia64.deb\n Size/MD5 checksum: 403688 ae0e8104305b96517d08f5aea77a4606\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_mips.deb\n Size/MD5 checksum: 60232 724ec494cc69548b8890880b7d248dba\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_mips.deb\n Size/MD5 checksum: 58848 3a6d7d458cb1c949115d3ad12d562138\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_mips.deb\n Size/MD5 checksum: 62926 193df4731bdc1ee1073714abe1d29114\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_mips.deb\n Size/MD5 checksum: 62800 e4c88318acfbe7f050ea4f1ed4681ebb\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_mips.deb\n Size/MD5 checksum: 69510 3f5b26527058dd16c4655c0ecde35512\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_mips.deb\n Size/MD5 checksum: 296630 75f466488f83f207f40e6f4f5f46574e\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_mipsel.deb\n Size/MD5 checksum: 61016 abe2b0c52a6296920a2e2fce95349202\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_mipsel.deb\n Size/MD5 checksum: 297784 e8a0ff63ef6a03ac95cf7c40b8e1b430\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_mipsel.deb\n Size/MD5 checksum: 59536 76c9889ec0027e00d9afe83d092d0d83\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_mipsel.deb\n Size/MD5 checksum: 63806 7b2d63f55b325ea9a1412a1c570dd3a3\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_mipsel.deb\n Size/MD5 checksum: 70284 be38504e52300160c540dc6bcd41430e\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_mipsel.deb\n Size/MD5 checksum: 63632 9ab20f0ac90dec49e4821bf2e3f2e352\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_powerpc.deb\n Size/MD5 checksum: 65662 914158dc357223cfbcdf4d8dccaa0750\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_powerpc.deb\n Size/MD5 checksum: 324318 ed2ab4940c84fa3d7f1a50f713a4f2a9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_powerpc.deb\n Size/MD5 checksum: 65382 895629ee1afc700d0df7977329708327\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_powerpc.deb\n Size/MD5 checksum: 60898 b93e6ec96fc740ee8d5c41f42cf61775\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_powerpc.deb\n Size/MD5 checksum: 62720 ddfda8e2b596cc362e13374f0b3184c0\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_powerpc.deb\n Size/MD5 checksum: 72022 c36a5c17592f362d264da046c86719f4\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_s390.deb\n Size/MD5 checksum: 59834 b3b2274d0693571453277e07b007d317\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_s390.deb\n Size/MD5 checksum: 307604 efdcb28b7c72dd651fbef3cd29c0b2b0\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_s390.deb\n Size/MD5 checksum: 64888 5ee5c58eb8137e16d7cc5a5051e1e681\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_s390.deb\n Size/MD5 checksum: 61336 97649501fee31f896dbf0a04bc557e67\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_s390.deb\n Size/MD5 checksum: 64498 d808433a519c3b935e3377be7fe3200b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_s390.deb\n Size/MD5 checksum: 71628 b3157f215944ad2e823bfe3faa0d1850\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_sparc.deb\n Size/MD5 checksum: 70228 f5e3eaf4c778339568a0e5a4b50a2c71\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_sparc.deb\n Size/MD5 checksum: 60764 d994ef00d45e45df2903629946c0b631\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_sparc.deb\n Size/MD5 checksum: 63660 5b044502ef80613f1cd9a713ac4cf90c\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_sparc.deb\n Size/MD5 checksum: 284744 a56972a3ea97aa4189ada9abec79a4be\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_sparc.deb\n Size/MD5 checksum: 59114 db674bf22be34eead049277cc5882d66\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_sparc.deb\n Size/MD5 checksum: 63682 2b3f4d7c52fe9cc8c9122df0bd46f7c3\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2008-07-23T18:59:51", "published": "2008-07-23T18:59:51", "id": "DEBIAN:DSA-1540-3:02F0A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00197.html", "title": "[SECURITY] [DSA 1540-3] New lighttpd packages fix regression", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-11T13:12:08", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1531"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1540-1 security@debian.org\nhttp://www.debian.org/security/ Steve Kemp\nApril 07, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : lighttpd\nVulnerability : DOS\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1531\n\nIt was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, was didn't correctly handle SSL errors. This could allow\na remote attacker to disconnect all active SSL connections.\n\nFor the stable distribution (etch), this problem has been fixed in version\n1.4.13-4etch7.\n\nWe recommend that you upgrade your lighttpd package.\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7.dsc\n Size/MD5 checksum: 1098 0d420a477511699665602b3c64b39179\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz\n Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7.diff.gz\n Size/MD5 checksum: 37428 1f54c20fa199127e6db25176bcbe5902\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch7_all.deb\n Size/MD5 checksum: 99548 11dbb6f839e908c0d641249fb3d4fdc4\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_alpha.deb\n Size/MD5 checksum: 64532 d799861c011b78a8238777f49c6fb92d\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_alpha.deb\n Size/MD5 checksum: 318940 0e6314a5e9254d6500fb67555844d71b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_alpha.deb\n Size/MD5 checksum: 64964 bd1d1cd3aa8c601b9cfad9e48528cb75\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_alpha.deb\n Size/MD5 checksum: 61294 55daca76be0d34892687511d3f4f1be9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_alpha.deb\n Size/MD5 checksum: 71764 74606f3ddea8f458c2ede8395bedb305\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_alpha.deb\n Size/MD5 checksum: 59532 267cff02d1ecbfa394bba4128d475fc8\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_amd64.deb\n Size/MD5 checksum: 60706 f8be0d85f9fbeb4c13812193f5d9fd97\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_amd64.deb\n Size/MD5 checksum: 69852 e827323f52a4705c7181d183d4d91e28\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_amd64.deb\n Size/MD5 checksum: 59104 310716e9e2e8c2f52bef3d6c604d6db0\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_amd64.deb\n Size/MD5 checksum: 297296 dbfccf2a8da12c6ebe829322be356345\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_amd64.deb\n Size/MD5 checksum: 63842 b0f28737f30018c175bf880134b3a125\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_amd64.deb\n Size/MD5 checksum: 63542 64b3baf663b5da3ecb2768583aea88db\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_arm.deb\n Size/MD5 checksum: 58644 dca9be439e843773122daa5116961f47\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_arm.deb\n Size/MD5 checksum: 60770 834dbe952f348107cb9c67725a1f10a9\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_arm.deb\n Size/MD5 checksum: 286372 92f55d65c3270e7a7686e9dcc4238891\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_arm.deb\n Size/MD5 checksum: 63016 3d2e94666a3a202be5c5a827fbdcb1b7\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_arm.deb\n Size/MD5 checksum: 69550 05411ae38a2707a34bd39d2f6c5b4c21\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_arm.deb\n Size/MD5 checksum: 62810 ce3d76b2d95b11f5ec9786cef294529a\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_hppa.deb\n Size/MD5 checksum: 64816 6acfc017952efd135f321647e25dde98\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_hppa.deb\n Size/MD5 checksum: 59824 7992d416326a977de23342aded31794d\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_hppa.deb\n Size/MD5 checksum: 65306 f962d71c01565f840e27e0ff7277f08f\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_hppa.deb\n Size/MD5 checksum: 323966 2f988d0e8477a97e67646d1eab378bcb\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_hppa.deb\n Size/MD5 checksum: 72226 132da0df987e1a455bbd5f22c1717b94\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_hppa.deb\n Size/MD5 checksum: 61790 d621a174492d0242af13b95b6367e391\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_i386.deb\n Size/MD5 checksum: 289080 3b7e2220550ad5501a170bebd1c5a13b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_i386.deb\n Size/MD5 checksum: 60808 7172f3019391d067f3b25bf66c1cadfa\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_i386.deb\n Size/MD5 checksum: 70886 d39938922e8d46b4131e96113f866151\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_i386.deb\n Size/MD5 checksum: 63842 ba0dbce4e4c723572693ecc99aaa72aa\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_i386.deb\n Size/MD5 checksum: 59044 cba49deeb94a51e8499e1f9c343df596\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_i386.deb\n Size/MD5 checksum: 63648 d51193103888bbd61d53318a06e72bcd\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_ia64.deb\n Size/MD5 checksum: 403400 7e52b6af3071399751a6f441efb7ddff\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_ia64.deb\n Size/MD5 checksum: 61138 0bdc32d95d978ea6b3a7ea5aad1adf0b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_ia64.deb\n Size/MD5 checksum: 67316 6c48f24b952c635a0493cc0f1bddf15c\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_ia64.deb\n Size/MD5 checksum: 63012 4a6645b05cb285aaab3b32d1893759ff\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_ia64.deb\n Size/MD5 checksum: 77006 aff32f03cafed1375aca3fb4d66e3e30\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_ia64.deb\n Size/MD5 checksum: 67460 b320f16089ca496d8b539552979010e5\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_mips.deb\n Size/MD5 checksum: 59902 07ae05203cfa68d6fceb25203bd26849\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_mips.deb\n Size/MD5 checksum: 58522 b365869b231400d2f55d01f6a5b2a8d1\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_mips.deb\n Size/MD5 checksum: 296118 84123ee64559dac2333e5526e442f109\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_mips.deb\n Size/MD5 checksum: 62606 c2dbbd96a58f53c5a9b5fe80f65fd6b5\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_mips.deb\n Size/MD5 checksum: 62478 75986c1998f6ee3132b79fda58e347db\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_mips.deb\n Size/MD5 checksum: 69180 a9ef213bba1905adcdd4445e48083916\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_powerpc.deb\n Size/MD5 checksum: 62414 38e9d66e552fef8b56375532efe174b8\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_powerpc.deb\n Size/MD5 checksum: 71724 2ee5137240b63aba6dd3ad3a10a26c04\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_powerpc.deb\n Size/MD5 checksum: 65352 b44ee19a0de0b85d7eb9996da1684589\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_powerpc.deb\n Size/MD5 checksum: 65072 e9f88e799fa8ff7577e9ee0cd5f0116d\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_powerpc.deb\n Size/MD5 checksum: 323808 f171052f3104e1efd3499b1b8956461b\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_powerpc.deb\n Size/MD5 checksum: 60600 ee6750716fe8ed2e4cef726e5c5c582d\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_s390.deb\n Size/MD5 checksum: 307182 9ed8633e8cf58b9d83488a617b2fe4da\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_s390.deb\n Size/MD5 checksum: 59536 866eee4b685f9da849eca6179c7e3086\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_s390.deb\n Size/MD5 checksum: 71316 0bb7148f058512acc22d7ebc1f9b9ddd\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_s390.deb\n Size/MD5 checksum: 61034 567a055780f4090bc3f6f997574e4fa2\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_s390.deb\n Size/MD5 checksum: 64188 51d457cb51f6d192ac8662947f16a2db\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_s390.deb\n Size/MD5 checksum: 64584 d35c85a7dc2f1d6f52f8aaa3a3ebc1d9\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch7_sparc.deb\n Size/MD5 checksum: 63366 5f90bf87da4e97e99f2bd1ed41e93215\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch7_sparc.deb\n Size/MD5 checksum: 58824 93775bfe28fa9444f305e293a2affd2c\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch7_sparc.deb\n Size/MD5 checksum: 284216 88bb423b58186ba48c07d378eef60831\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch7_sparc.deb\n Size/MD5 checksum: 63378 779a1f21bfb254895a910051e3660a6e\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch7_sparc.deb\n Size/MD5 checksum: 60462 a5db92742c05ed0caadb462391a04a4e\n http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch7_sparc.deb\n Size/MD5 checksum: 69840 185b4976ce7b4d0c0bd70263d3df329e\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2008-04-07T17:44:17", "published": "2008-04-07T17:44:17", "id": "DEBIAN:DSA-1540-1:A7A75", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00110.html", "title": "[SECURITY] [DSA 1540-1] New lighttpd packages fix denial of service", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T21:43:39", "description": "BUGTRAQ ID: 28489\r\nCVE(CAN) ID: CVE-2008-1531\r\n\r\nLighttpd\u662f\u4e00\u6b3e\u8f7b\u578b\u7684\u5f00\u653e\u6e90\u7801Web Server\u8f6f\u4ef6\u5305\u3002\r\n\r\nlighttpd\u6ca1\u6709\u6b63\u786e\u5730\u6e05\u9664OpenSSL\u9519\u8bef\u961f\u5217\uff0c\u5982\u679c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u89e6\u53d1SSL\u9519\u8bef\u7684\u8bdd\uff0c\u5982\u5728\u4e0b\u8f7d\u7ed3\u675f\u524d\u65ad\u5f00\u8fde\u63a5\uff0clighttpd\u5c31\u53ef\u80fd\u65ad\u5f00\u6240\u6709\u6d3b\u52a8\u7684SSL\u8fde\u63a5\u3002\r\n\n\nLightTPD 1.4.19\n \u5382\u5546\u8865\u4e01\uff1a\r\n\r\nDebian\r\n------\r\nDebian\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08DSA-1540-2\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nDSA-1540-2\uff1aNew lighttpd packages fix denial of service\r\n\u94fe\u63a5\uff1a<a href=http://www.debian.org/security/2008/dsa-1540 target=_blank>http://www.debian.org/security/2008/dsa-1540</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n\r\nSource archives:\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz</a>\r\nSize/MD5 checksum: 37420 89efdab79fcbac119000a64cab648fcd\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz</a>\r\nSize/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc</a>\r\nSize/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e\r\n\r\nArchitecture independent packages:\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb</a>\r\nSize/MD5 checksum: 99618 ae68b64b7c0df0f0b3a9d19b87e7c40a\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb</a>\r\nSize/MD5 checksum: 297300 19f5b871d2a9a483e1ecdaa2325c45cb\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb</a>\r\nSize/MD5 checksum: 63586 750cf5f5d7671986b195366f2335c9cc\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb</a>\r\nSize/MD5 checksum: 63884 72ee2b52772010ae7c63a0a2b4761ff5\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb</a>\r\nSize/MD5 checksum: 59138 45672a1a3af65311693a3aee58be5566\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb</a>\r\nSize/MD5 checksum: 69890 b84d4ea8c9af282e2aeeb5c05847a95a\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb</a>\r\nSize/MD5 checksum: 60742 f48ef372b71be1b2683d03b411c7e7cf\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb</a>\r\nSize/MD5 checksum: 59896 60a4e61e9b5e2bafbf53474d677b36bb\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb</a>\r\nSize/MD5 checksum: 323946 642f46921f99dfdf8e52ed3777847cbc\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb</a>\r\nSize/MD5 checksum: 61890 4feb260d9f611c26979872b49b09ebc1\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb</a>\r\nSize/MD5 checksum: 65000 2ce28ddd20bcd1bf407e14bae053537b\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb</a>\r\nSize/MD5 checksum: 72946 33c93c114c3807d63bb18a5a9b3f33b9\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb</a>\r\nSize/MD5 checksum: 65520 82a4460351af3d4c8b9d84ec831bd006\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb</a>\r\nSize/MD5 checksum: 63884 96876134f02cf6b3c5079d5deecca7d9\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb</a>\r\nSize/MD5 checksum: 59086 f928fd96f37229e72661fa7140a0daa9\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb</a>\r\nSize/MD5 checksum: 289088 477ce333d4a1b9f506645ff22193191f\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb</a>\r\nSize/MD5 checksum: 70932 90cd2be30fb0f0e0ff97820e1b8c19f1\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb</a>\r\nSize/MD5 checksum: 63690 f5c320e1f272a52ec9354b27f5c36082\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb</a>\r\nSize/MD5 checksum: 60846 0f30b9acbc10ec2c648edf19b8e41178\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb</a>\r\nSize/MD5 checksum: 67508 8d853ada8818a91fa022e0dd52c19edf\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb</a>\r\nSize/MD5 checksum: 63054 22a7de81eb0ec31a95632eb555a888c1\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb</a>\r\nSize/MD5 checksum: 77062 04cffb6683e4a3c92f5f48e8d2df5dd8\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb</a>\r\nSize/MD5 checksum: 67366 0f9272c16ab8cf4e75129f5a3eaa5d71\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb</a>\r\nSize/MD5 checksum: 403358 aefa2c83a3baf3ee9ae8ba1c6629e22e\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb</a>\r\nSize/MD5 checksum: 61176 ea0d6334ab0904bddbbe9cf90a72ba9e\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb</a>\r\nSize/MD5 checksum: 62658 8799ed08b706281b21814f559f858be9\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb</a>\r\nSize/MD5 checksum: 58572 7520f8302f2e0cb1ceed528d01c1aea7\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb</a>\r\nSize/MD5 checksum: 62526 c75ac1e607ebcbc95ed03e8adb088dec\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb</a>\r\nSize/MD5 checksum: 296088 f05c1b65de0bb165c1fa8ef749c1f60c\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb</a>\r\nSize/MD5 checksum: 59960 76b2266c789cad50fae1d751cc2be88c\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb</a>\r\nSize/MD5 checksum: 69236 61394a59d58c8f5f5c721a4085fee51e\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb</a>\r\nSize/MD5 checksum: 59282 56363403b07fd8bb4ec4628c4607cd8b\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb</a>\r\nSize/MD5 checksum: 63368 f8378c36175b9b3f87f038f45cad5e4d\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb</a>\r\nSize/MD5 checksum: 70020 e7b073ea24c3de3404f69ad8dbdd43df\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb</a>\r\nSize/MD5 checksum: 60762 cdb8770285645d0ea048b02fb866f63a\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb</a>\r\nSize/MD5 checksum: 63542 c5a4b5467b6917a7065e1ef6a57fd3a2\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb</a>\r\nSize/MD5 checksum: 297260 1d3b8cac9795b18e231e5f99a25d9f3b\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb</a>\r\nSize/MD5 checksum: 71762 4465577bc817611ca87c7f21bc0d2642\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb</a>\r\nSize/MD5 checksum: 65390 ac39f8d16559e8a4e8bd09a274c58895\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb</a>\r\nSize/MD5 checksum: 65114 844e63058ca4968673e652684c37c309\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb</a>\r\nSize/MD5 checksum: 323818 11066e5afd416b95a825212056d6d493\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb</a>\r\nSize/MD5 checksum: 62462 4eeb054f0838cd87f8ff21b798dd1110\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb</a>\r\nSize/MD5 checksum: 60644 0b547baa6b634ee3e606f58a1b503f26\r\n\r\ns390 architecture (IBM S/390)\r\n\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb</a>\r\nSize/MD5 checksum: 307236 828090c5177429f28bdfcdc653aff701\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb</a>\r\nSize/MD5 checksum: 64244 df43829d7d3a6cb956444e6c4123af6f\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb</a>\r\nSize/MD5 checksum: 59580 f2d8a504078229d6a9c90ca2312736f2\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb</a>\r\nSize/MD5 checksum: 61082 c73356530cb3936b5eaf0fa09b941bff\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb</a>\r\nSize/MD5 checksum: 71368 15a98ad24b35b3a4461748b31d2408a7\r\n<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb</a>\r\nSize/MD5 checksum: 64632 2e037627c148aaa336465a89f9b6cc99\r\n\r\n\u8865\u4e01\u5b89\u88c5\u65b9\u6cd5\uff1a\r\n\r\n1. \u624b\u5de5\u5b89\u88c5\u8865\u4e01\u5305\uff1a\r\n\r\n \u9996\u5148\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u4e0b\u8f7d\u8865\u4e01\u8f6f\u4ef6\uff1a\r\n # wget url (url\u662f\u8865\u4e01\u4e0b\u8f7d\u94fe\u63a5\u5730\u5740)\r\n\r\n \u7136\u540e\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u5b89\u88c5\u8865\u4e01\uff1a \r\n # dpkg -i file.deb (file\u662f\u76f8\u5e94\u7684\u8865\u4e01\u540d)\r\n\r\n2. \u4f7f\u7528apt-get\u81ea\u52a8\u5b89\u88c5\u8865\u4e01\u5305\uff1a\r\n\r\n \u9996\u5148\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u66f4\u65b0\u5185\u90e8\u6570\u636e\u5e93\uff1a\r\n # apt-get update\r\n \r\n \u7136\u540e\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u5b89\u88c5\u66f4\u65b0\u8f6f\u4ef6\u5305\uff1a\r\n # apt-get upgrade\r\n\r\nGentoo\r\n------\r\nGentoo\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08GLSA-200804-08\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nGLSA-200804-08\uff1alighttpd: Multiple vulnerabilities\r\n\u94fe\u63a5\uff1a<a href=http://security.gentoo.org/glsa/glsa-200804-08.xml target=_blank>http://security.gentoo.org/glsa/glsa-200804-08.xml</a>\r\n\r\n\u6240\u6709lighttpd\u7528\u6237\u90fd\u5e94\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\uff1a\r\n\r\n # emerge --sync\r\n # emerge --ask --oneshot --verbose ">=3Dwww-servers/lighttpd-1.4.19-r=2"\r\n\r\nLightTPD\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://trac.lighttpd.net/trac/changeset/2136 target=_blank>http://trac.lighttpd.net/trac/changeset/2136</a>\r\n<a href=http://trac.lighttpd.net/trac/changeset/2139 target=_blank>http://trac.lighttpd.net/trac/changeset/2139</a>", "published": "2008-04-17T00:00:00", "type": "seebug", "title": "Lighttpd SSL\u9519\u8bef\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1531"], "modified": "2008-04-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3182", "id": "SSV:3182", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:40:13", "description": "Secunia reports :\n\nA vulnerability has been reported in lighttpd, which can be exploited\nby malicious people to cause a DoS (Denial of Service).\n\nThe vulnerability is caused due to lighttpd not properly clearing the\nOpenSSL error queue. This can be exploited to close concurrent SSL\nconnections of lighttpd by terminating one SSL connection.", "edition": 25, "published": "2008-04-17T00:00:00", "title": "FreeBSD : lighttpd -- OpenSSL Error Queue Denial of Service Vulnerability (1ac77649-0908-11dd-974d-000fea2763ce)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "modified": "2008-04-17T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:lighttpd"], "id": "FREEBSD_PKG_1AC77649090811DD974D000FEA2763CE.NASL", "href": "https://www.tenable.com/plugins/nessus/31953", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(31953);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1531\");\n script_bugtraq_id(28489);\n script_xref(name:\"Secunia\", value:\"29649\");\n\n script_name(english:\"FreeBSD : lighttpd -- OpenSSL Error Queue Denial of Service Vulnerability (1ac77649-0908-11dd-974d-000fea2763ce)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nA vulnerability has been reported in lighttpd, which can be exploited\nby malicious people to cause a DoS (Denial of Service).\n\nThe vulnerability is caused due to lighttpd not properly clearing the\nOpenSSL error queue. This can be exploited to close concurrent SSL\nconnections of lighttpd by terminating one SSL connection.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://trac.lighttpd.net/trac/ticket/285\"\n );\n # https://vuxml.freebsd.org/freebsd/1ac77649-0908-11dd-974d-000fea2763ce.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?54c267ec\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/04/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"lighttpd<1.4.19_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:06:30", "description": "This update fixes a bug where a user could kill another user's SSL\nconnection by killing his own, because the SSL error queue wasn't\ncleared properly.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2008-05-01T00:00:00", "title": "Fedora 7 : lighttpd-1.4.19-4.fc7 (2008-3343)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "modified": "2008-05-01T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:7", "p-cpe:/a:fedoraproject:fedora:lighttpd"], "id": "FEDORA_2008-3343.NASL", "href": "https://www.tenable.com/plugins/nessus/32094", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-3343.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32094);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1531\");\n script_bugtraq_id(28489);\n script_xref(name:\"FEDORA\", value:\"2008-3343\");\n\n script_name(english:\"Fedora 7 : lighttpd-1.4.19-4.fc7 (2008-3343)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug where a user could kill another user's SSL\nconnection by killing his own, because the SSL error queue wasn't\ncleared properly.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=439066\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-April/009587.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1fcb60f4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"lighttpd-1.4.19-4.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:06:30", "description": "This update fixes a bug where a user could kill another user's SSL\nconnection by killing his own, because the SSL error queue wasn't\ncleared properly.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2008-05-01T00:00:00", "title": "Fedora 8 : lighttpd-1.4.19-4.fc8 (2008-3376)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "modified": "2008-05-01T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:lighttpd"], "id": "FEDORA_2008-3376.NASL", "href": "https://www.tenable.com/plugins/nessus/32100", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-3376.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32100);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1531\");\n script_bugtraq_id(28489);\n script_xref(name:\"FEDORA\", value:\"2008-3376\");\n\n script_name(english:\"Fedora 8 : lighttpd-1.4.19-4.fc8 (2008-3376)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug where a user could kill another user's SSL\nconnection by killing his own, because the SSL error queue wasn't\ncleared properly.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=439066\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-April/009612.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?514ba8fe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"lighttpd-1.4.19-4.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:06:32", "description": "This update fixes a bug where a user could kill another user's SSL\nconnection by killing his own, because the SSL error queue wasn't\ncleared properly.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2008-05-20T00:00:00", "title": "Fedora 9 : lighttpd-1.4.19-4.fc9 (2008-4119)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "modified": "2008-05-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:lighttpd", "cpe:/o:fedoraproject:fedora:9"], "id": "FEDORA_2008-4119.NASL", "href": "https://www.tenable.com/plugins/nessus/32386", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-4119.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32386);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1531\");\n script_bugtraq_id(28489);\n script_xref(name:\"FEDORA\", value:\"2008-4119\");\n\n script_name(english:\"Fedora 9 : lighttpd-1.4.19-4.fc9 (2008-4119)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug where a user could kill another user's SSL\nconnection by killing his own, because the SSL error queue wasn't\ncleared properly.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=439066\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/010087.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dfe3e18d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"lighttpd-1.4.19-4.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:46:33", "description": "An error in one SSL connection could lead to termination of all SSL\nconnections (CVE-2008-1531)", "edition": 23, "published": "2008-05-02T00:00:00", "title": "openSUSE 10 Security Update : lighttpd (lighttpd-5216)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "modified": "2008-05-02T00:00:00", "cpe": ["cpe:/o:novell:opensuse:10.3", "cpe:/o:novell:opensuse:10.2", "p-cpe:/a:novell:opensuse:lighttpd-mod_webdav", "p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool", "p-cpe:/a:novell:opensuse:lighttpd", "p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost", "p-cpe:/a:novell:opensuse:lighttpd-mod_magnet", "cpe:/o:novell:opensuse:10.1", "p-cpe:/a:novell:opensuse:lighttpd-mod_cml", "p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl"], "id": "SUSE_LIGHTTPD-5216.NASL", "href": "https://www.tenable.com/plugins/nessus/32129", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update lighttpd-5216.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32129);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1531\");\n\n script_name(english:\"openSUSE 10 Security Update : lighttpd (lighttpd-5216)\");\n script_summary(english:\"Check for the lighttpd-5216 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An error in one SSL connection could lead to termination of all SSL\nconnections (CVE-2008-1531)\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_cml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_magnet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_webdav\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.1|SUSE10\\.2|SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.1 / 10.2 / 10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.1\", reference:\"lighttpd-1.4.10-11.23\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"lighttpd-mod_cml-1.4.10-11.23\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"lighttpd-mod_mysql_vhost-1.4.10-11.23\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"lighttpd-mod_rrdtool-1.4.10-11.23\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"lighttpd-mod_trigger_b4_dl-1.4.10-11.23\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"lighttpd-mod_webdav-1.4.10-11.23\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-mod_cml-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-mod_magnet-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-mod_mysql_vhost-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-mod_rrdtool-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-mod_trigger_b4_dl-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"lighttpd-mod_webdav-1.4.13-41.10\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-1.4.18-1.5\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-mod_cml-1.4.18-1.5\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-mod_magnet-1.4.18-1.5\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-mod_mysql_vhost-1.4.18-1.5\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-mod_rrdtool-1.4.18-1.5\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-mod_trigger_b4_dl-1.4.18-1.5\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"lighttpd-mod_webdav-1.4.18-1.5\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd / lighttpd-mod_cml / lighttpd-mod_mysql_vhost / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T09:45:00", "description": "It was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, didn't correctly handle SSL errors. This could allow a\nremote attacker to disconnect all active SSL connections.", "edition": 27, "published": "2008-04-11T00:00:00", "title": "Debian DSA-1540-1 : lighttpd - denial of service", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531"], "modified": "2008-04-11T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:lighttpd"], "id": "DEBIAN_DSA-1540.NASL", "href": "https://www.tenable.com/plugins/nessus/31810", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1540. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(31810);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-1531\");\n script_xref(name:\"DSA\", value:\"1540\");\n\n script_name(english:\"Debian DSA-1540-1 : lighttpd - denial of service\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that lighttpd, a fast webserver with minimal memory\nfootprint, didn't correctly handle SSL errors. This could allow a\nremote attacker to disconnect all active SSL connections.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2008/dsa-1540\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lighttpd package.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 1.4.13-4etch7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/04/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd\", reference:\"1.4.13-4etch7\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd-doc\", reference:\"1.4.13-4etch7\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd-mod-cml\", reference:\"1.4.13-4etch7\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd-mod-magnet\", reference:\"1.4.13-4etch7\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd-mod-mysql-vhost\", reference:\"1.4.13-4etch7\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd-mod-trigger-b4-dl\", reference:\"1.4.13-4etch7\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"lighttpd-mod-webdav\", reference:\"1.4.13-4etch7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:52:20", "description": "The remote host is affected by the vulnerability described in GLSA-200804-08\n(lighttpd: Multiple vulnerabilities)\n\n Julien Cayzax discovered that an insecure default setting exists in\n mod_userdir in lighttpd. When userdir.path is not set the default value\n used is $HOME. It should be noted that the 'nobody' user's $HOME is '/'\n (CVE-2008-1270). An error also exists in the SSL connection code which\n can be triggered when a user prematurely terminates his connection\n (CVE-2008-1531).\n \nImpact :\n\n A remote attacker could exploit the first vulnerability to read\n arbitrary files. The second vulnerability can be exploited by a remote\n attacker to cause a Denial of Service by terminating a victim's SSL\n connection.\n \nWorkaround :\n\n As a workaround for CVE-2008-1270 you can set userdir.path to a\n sensible value, e.g. 'public_html'.", "edition": 25, "published": "2008-04-17T00:00:00", "title": "GLSA-200804-08 : lighttpd: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1531", "CVE-2008-1270"], "modified": "2008-04-17T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:lighttpd"], "id": "GENTOO_GLSA-200804-08.NASL", "href": "https://www.tenable.com/plugins/nessus/31955", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200804-08.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(31955);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1270\", \"CVE-2008-1531\");\n script_xref(name:\"GLSA\", value:\"200804-08\");\n\n script_name(english:\"GLSA-200804-08 : lighttpd: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200804-08\n(lighttpd: Multiple vulnerabilities)\n\n Julien Cayzax discovered that an insecure default setting exists in\n mod_userdir in lighttpd. When userdir.path is not set the default value\n used is $HOME. It should be noted that the 'nobody' user's $HOME is '/'\n (CVE-2008-1270). An error also exists in the SSL connection code which\n can be triggered when a user prematurely terminates his connection\n (CVE-2008-1531).\n \nImpact :\n\n A remote attacker could exploit the first vulnerability to read\n arbitrary files. The second vulnerability can be exploited by a remote\n attacker to cause a Denial of Service by terminating a victim's SSL\n connection.\n \nWorkaround :\n\n As a workaround for CVE-2008-1270 you can set userdir.path to a\n sensible value, e.g. 'public_html'.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200804-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All lighttpd users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.19-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cwe_id(200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/04/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/lighttpd\", unaffected:make_list(\"ge 1.4.19-r2\"), vulnerable:make_list(\"lt 1.4.19-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T03:19:52", "description": "According to its banner, the version of lighttpd running on the remote\nhost is prior to 1.4.20. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A denial of service vulnerability exists in the\n connection_state_machine() function that is triggered\n when disconnecting before a download has finished. An\n unauthenticated, remote attacker can exploit this to\n cause all active SSL connections to be lost.\n (CVE-2008-1531)\n\n - A memory leak flaw exists in the http_request_parse()\n function. An unauthenticated, remote attacker can\n exploit this, via a large number of requests with\n duplicate request headers, to cause a denial of service\n condition. (CVE-2008-4298)\n\n - A security bypass vulnerability exists due to comparing\n URIs to patterns in url.redirect and url.rewrite\n configuration settings before performing URL decoding.\n An unauthenticated, remote attacker can exploit this to\n bypass intended access restrictions, resulting in the\n disclosure or modification of sensitive data.\n (CVE-2008-4359)\n\n - A security bypass vulnerability exists in mod_userdir\n due to performing case-sensitive comparisons even on\n case-insensitive operating systems and file systems. An\n unauthenticated, remote attacker can exploit this to\n bypass intended access restrictions, resulting in the\n disclosure of sensitive information. (CVE-2008-4360)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2008-10-03T00:00:00", "title": "lighttpd < 1.4.20 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4360", "CVE-2008-1531", "CVE-2008-4298", "CVE-2008-4359"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:lighttpd:lighttpd"], "id": "LIGHTTPD_1_4_20.NASL", "href": "https://www.tenable.com/plugins/nessus/34332", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34332);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/07/13 15:08:46\");\n\n script_cve_id(\n \"CVE-2008-1531\",\n \"CVE-2008-4298\",\n \"CVE-2008-4359\",\n \"CVE-2008-4360\");\n script_bugtraq_id(\n 28489,\n 31434,\n 31599,\n 31600);\n\n script_name(english:\"lighttpd < 1.4.20 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version in Server response header.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of lighttpd running on the remote\nhost is prior to 1.4.20. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A denial of service vulnerability exists in the\n connection_state_machine() function that is triggered\n when disconnecting before a download has finished. An\n unauthenticated, remote attacker can exploit this to\n cause all active SSL connections to be lost.\n (CVE-2008-1531)\n\n - A memory leak flaw exists in the http_request_parse()\n function. An unauthenticated, remote attacker can\n exploit this, via a large number of requests with\n duplicate request headers, to cause a denial of service\n condition. (CVE-2008-4298)\n\n - A security bypass vulnerability exists due to comparing\n URIs to patterns in url.redirect and url.rewrite\n configuration settings before performing URL decoding.\n An unauthenticated, remote attacker can exploit this to\n bypass intended access restrictions, resulting in the\n disclosure or modification of sensitive data.\n (CVE-2008-4359)\n\n - A security bypass vulnerability exists in mod_userdir\n due to performing case-sensitive comparisons even on\n case-insensitive operating systems and file systems. An\n unauthenticated, remote attacker can exploit this to\n bypass intended access restrictions, resulting in the\n disclosure of sensitive information. (CVE-2008-4360)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://redmine.lighttpd.net/issues/285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://redmine.lighttpd.net/issues/1589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://redmine.lighttpd.net/issues/1589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://redmine.lighttpd.net/issues/1774\");\n # http://web.archive.org/web/20120118054919/http://www.lighttpd.net/2008/9/30/1-4-20-otherwise-the-terrorists-win\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3d6f179d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to lighttpd version 1.4.20 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(200, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/10/03\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:lighttpd:lighttpd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"lighttpd_detect.nasl\");\n script_require_keys(\"installed_sw/lighttpd\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"lighttpd\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_http_port(default:80);\napp_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [{\"fixed_version\":\"1.4.20\"}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1531"], "description": "Secure, fast, compliant and very flexible web-server which has been optimiz ed for high-performance environments. It has a very low memory footprint compa red to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems. Available rpmbuild rebuild options : --with : gamin webdavprops webdavlocks memcache --without : ldap gdbm lua (cml) ", "modified": "2008-05-17T22:28:22", "published": "2008-05-17T22:28:22", "id": "FEDORA:M4HMRUMQ016877", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: lighttpd-1.4.19-4.fc9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-0983", "CVE-2008-1111", "CVE-2008-1531"], "description": "Secure, fast, compliant and very flexible web-server which has been optimiz ed for high-performance environments. It has a very low memory footprint compa red to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems. Available rpmbuild rebuild options : --with : gamin webdavprops webdavlocks memcache --without : ldap gdbm lua (cml) ", "modified": "2008-04-29T20:57:25", "published": "2008-04-29T20:57:25", "id": "FEDORA:M3TLCX57031009", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: lighttpd-1.4.19-4.fc8", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-0983", "CVE-2008-1111", "CVE-2008-1531"], "description": "Secure, fast, compliant and very flexible web-server which has been optimiz ed for high-performance environments. It has a very low memory footprint compa red to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems. Available rpmbuild rebuild options : --with : gamin webdavprops webdavlocks memcache --without : ldap gdbm lua (cml) ", "modified": "2008-04-29T20:54:00", "published": "2008-04-29T20:54:00", "id": "FEDORA:M3TL8N73030514", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 7 Update: lighttpd-1.4.19-4.fc7", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:18", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1531", "CVE-2008-1270"], "description": "### Background\n\nlighttpd is a lightweight high-performance web server. \n\n### Description\n\nJulien Cayzax discovered that an insecure default setting exists in mod_userdir in lighttpd. When userdir.path is not set the default value used is $HOME. It should be noted that the \"nobody\" user's $HOME is \"/\" (CVE-2008-1270). An error also exists in the SSL connection code which can be triggered when a user prematurely terminates his connection (CVE-2008-1531). \n\n### Impact\n\nA remote attacker could exploit the first vulnerability to read arbitrary files. The second vulnerability can be exploited by a remote attacker to cause a Denial of Service by terminating a victim's SSL connection. \n\n### Workaround\n\nAs a workaround for CVE-2008-1270 you can set userdir.path to a sensible value, e.g. _\"public_html\"_. \n\n### Resolution\n\nAll lighttpd users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/lighttpd-1.4.19-r2\"", "edition": 1, "modified": "2008-04-10T00:00:00", "published": "2008-04-10T00:00:00", "id": "GLSA-200804-08", "href": "https://security.gentoo.org/glsa/200804-08", "type": "gentoo", "title": "lighttpd: Multiple vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
