[SECURITY] [DSA 2877-1] lighttpd security update

2014-03-24T00:00:00
ID SECURITYVULNS:DOC:30381
Type securityvulns
Reporter Securityvulns
Modified 2014-03-24T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512


Debian Security Advisory DSA-2877-1 security@debian.org http://www.debian.org/security/ Michael Gilbert March 12, 2014 http://www.debian.org/security/faq


Package : lighttpd CVE ID : CVE-2014-2323 CVE-2014-2324 Debian Bug : 741493

Several vulnerabilities were discovered in the lighttpd web server.

CVE-2014-2323

Jann Horn discovered that specially crafted host names can be used
to inject arbitrary MySQL queries in lighttpd servers using the
MySQL virtual hosting module (mod_mysql_vhost).

This only affects installations with the lighttpd-mod-mysql-vhost
binary package installed and in use.

CVE-2014-2324

Jann Horn discovered that specially crafted host names can be used
to traverse outside of the document root under certain situations
in lighttpd servers using either the mod_mysql_vhost, mod_evhost,
or mod_simple_vhost virtual hosting modules.

Servers not using these modules are not affected.

For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.6.

For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u3.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in version 1.4.33-1+nmu3.

We recommend that you upgrade your lighttpd packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQQcBAEBCgAGBQJTISlcAAoJELjWss0C1vRzdLsf/1umcpRFMVfpb8kJhN9f+KiN qDASrwyL92FjUknXMP3PjeromIVODaPsCRK9C6zzeCCbNhk97Q2B2fFGVgEVaMmr v52T6PMyQy0bmWHy1O/aC30JBK5CAs0f/IWscqdKvNsOOTx+lVyWRsdRQfK059i1 otvQBsh25ro7jTGXcK1JA1ZTlpr41tmJoTyZR7npY5pEpVq9R9Sjyf/rnKv9RZHW MJaH3mD8J3gSlQyI+Ff8mAaCI2eMfBUocbAgRZRUwD1jGAM8OSr+PhmTTuMZTUq+ vsa68sLUwUiS10/nJVZDqH5TTcEgs9f1MnOpuBGtpdtw1pMAF51j73crEiJwXpUl jIFvPvBopU1I6EQ2NEz8rj+WCbFeY6kE2FdZmJzUCG5qzBb07Uj0mAgIu8jr1XCJ iEo6ngK3PWrG+8gWl2z7yUT8IrTYValb6Al1rr2NeW3QlfBgSSRtKtpYJ+QU4Jb4 +/7wMUTTwN4G3OzeugB1541CH6KaVSR+1R7BaI+sLvPwf4CSQB3SY04nwRdoYJGg La92sLzDI6tc0ETtgApa7akWYvpTcb940SYnUrjz56TOUUdfnDh1ELseFgVAHScz GqiiPcXm17C7O1SVjUq4VO6NAGgwoBBGdwozK1+FoiSka353rnPB4Sf6pGK9Z/ng M41qbfBEvSRyUi+6Y4tipRujgRceZwPzXa/ASEGNv98apXaLcMPFhcq5EY7VEY3u xsAqswdbGUea817rm0XO4A20rwCxCatU61ftDHmsrhwqf2HRzfCgYvFx9JF0S36P JllrmZqt2wwoZDDQZFKimFGd+UAvRzIjW+Gj3Z1a3LGzn/eRj756TsCZh3D/hGdx iBYYZoYY1DYJ1myL0m4MJxugVkMIAEerVcWVzAjDd6lKhFHLHpa6WPQENEYBw9ek ClB7bPLRwXiy2UGk4akMznl/vsMhzj++p/zN07sLnZWMLEvxSggGmiFhE9+IHvCp WFJsvc0+miqyJboy7GX3rjNGAoc7yvwsdPm4wwpGJSqC8N/ZDkUCYe5nHmcHt79f zo/5lUOa87RW/RlrToCig4adXbwk6AKWaoBu7k+C2+VZeIGqHS2oeZrAYhVHDt/A omFUi2wCN8kQPqDuX8e0EXH+AfinBs+vqB9pavFgMYverqrIoXeL3PPC9XqhAvAf 6yIj9HqFNmLCfBtw3JRLFnnzeErPJvR5/FNYh1yeW/OR8b2B5mnyYeU038aB/j3A /zsrRABWKdfvb2tTA5cl6DhxBaPKjUJ29ha6325QOLinhbbInKqRrMMjUDqdS2Cy QD5D2wHpd7ZMbhsa9FDklWnoKcbn5dWp0dUnfkhG8biZsU8bBEdY8gwJS0gD468= =z7Zk -----END PGP SIGNATURE-----