lighttpd was updated to version 1.4.35, fixing bugs and
security issues:
CVE-2014-2323: SQL injection vulnerability in
mod_mysql_vhost.c in lighttpd allowed remote attackers to
execute arbitrary SQL commands via the host name, related
to request_check_hostname.
CVE-2014-2323: Multiple directory traversal vulnerabilities
in (1) mod_evhost and (2) mod_simple_vhost in lighttpd
allowed remote attackers to read arbitrary files via a …
(dot dot) in the host name, related to
request_check_hostname.
More information can be found on the lighttpd advisory
page:
<a href=“http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2”>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2</a>
014_01.txt
Other changes:
- [network/ssl] fix build error if TLSEXT is disabled
- [mod_fastcgi] fix use after free (only triggered if
fastcgi debug is active)
- [mod_rrdtool] fix invalid read (string not null
terminated)
- [mod_dirlisting] fix memory leak if pcre fails
- [mod_fastcgi,mod_scgi] fix resource leaks on spawning
backends
- [mod_magnet] fix memory leak
- add comments for switch fall throughs
- remove logical dead code
- [buffer] fix length check in buffer_is_equal_right_len
- fix resource leaks in error cases on config parsing and
other initializations
- add force_assert() to enforce assertions as simple
assert()s are disabled by -DNDEBUG (fixes #2546)
- [mod_cml_lua] fix null pointer dereference
- force assertion: setting FD_CLOEXEC must work (if
available)
- [network] check return value of lseek()
- fix unchecked return values from
stream_open/stat_cache_get_entry
- [mod_webdav] fix logic error in handling file creation
error
- check length of unix domain socket filenames
- fix SQL injection / host name validation (thx Jann Horn)
for all the changes see
/usr/share/doc/packages/lighttpd/NEWS