Security update for lighttpd (important)

ID SUSE-SU-2014:0474-1
Type suse
Reporter Suse
Modified 2014-04-03T19:04:18


The HTTP server lighttpd was updated to fix the following security issues:

  • CVE-2014-2323: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd allowed remote attackers to execute arbitrary SQL commands via the host name.
  • CVE-2014-2323: Multiple directory traversal vulnerabilities in mod_evhost and mod_simple_vhost in lighttpd allowed remote attackers to read arbitrary files via .. (dot dot) in the host name.

More information can be found on the lighttpd advisory page: <a rel="nofollow" href=""></a> 014_01.txt <<a rel="nofollow" href=""></a> 2014_01.txt>

Security Issues references:

  • CVE-2014-2323 <<a rel="nofollow" href=""></a> >
  • CVE-2014-2324 <<a rel="nofollow" href=""></a> >