Security update for lighttpd (important)

2014-04-0319:04:18

lists.opensuse.org

EPSS

0.96

Percentile

99.5%

JSON

The HTTP server lighttpd was updated to fix the following
security issues:

CVE-2014-2323: SQL injection vulnerability in
mod_mysql_vhost.c in lighttpd allowed remote attackers to
execute arbitrary SQL commands via the host name.
CVE-2014-2323: Multiple directory traversal
vulnerabilities in mod_evhost and mod_simple_vhost in
lighttpd allowed remote attackers to read arbitrary files
via … (dot dot) in the host name.

More information can be found on the lighttpd advisory
page:
<a href=“http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2”>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2</a>
014_01.txt
<<a href=“http://download.lighttpd.net/lighttpd/security/lighttpd_sa_”>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_</a>
2014_01.txt>

Security Issues references:

CVE-2014-2323
<<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323</a>
>
CVE-2014-2324
<<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324</a>
>

OSVersionArchitecturePackageVersionFilename
SUSE Linux Enterprise Software Development Kit11.3s390xlighttpd-mod_webdav< 1.4.20-2.54.1lighttpd-mod_webdav-1.4.20-2.54.1.s390x.rpm
SUSE Linux Enterprise Software Development Kit11.3ppc64lighttpd-mod_webdav< 1.4.20-2.54.1lighttpd-mod_webdav-1.4.20-2.54.1.ppc64.rpm
SUSE Linux Enterprise Software Development Kit11.3i586lighttpd-mod_magnet< 1.4.20-2.54.1lighttpd-mod_magnet-1.4.20-2.54.1.i586.rpm
SUSE Linux Enterprise Software Development Kit11.3ppc64lighttpd< 1.4.20-2.54.1lighttpd-1.4.20-2.54.1.ppc64.rpm
SUSE Linux Enterprise Software Development Kit11.3i586lighttpd-mod_webdav< 1.4.20-2.54.1lighttpd-mod_webdav-1.4.20-2.54.1.i586.rpm
SUSE Linux Enterprise Software Development Kit11.3s390xlighttpd-mod_magnet< 1.4.20-2.54.1lighttpd-mod_magnet-1.4.20-2.54.1.s390x.rpm
SUSE Linux Enterprise High Availability Extension11.3x86_64lighttpd< 1.4.20-2.54.1lighttpd-1.4.20-2.54.1.x86_64.rpm
SUSE Linux Enterprise High Availability Extension11.3i586lighttpd< 1.4.20-2.54.1lighttpd-1.4.20-2.54.1.i586.rpm
SUSE Linux Enterprise Software Development Kit11.3x86_64lighttpd< 1.4.20-2.54.1lighttpd-1.4.20-2.54.1.x86_64.rpm
SUSE Linux Enterprise High Availability Extension11.3s390xlighttpd< 1.4.20-2.54.1lighttpd-1.4.20-2.54.1.s390x.rpm

OS	Version	Architecture	Package	Version	Filename
SUSE Linux Enterprise Software Development Kit	11.3	s390x	lighttpd-mod_webdav	< 1.4.20-2.54.1	lighttpd-mod_webdav-1.4.20-2.54.1.s390x.rpm
SUSE Linux Enterprise Software Development Kit	11.3	ppc64	lighttpd-mod_webdav	< 1.4.20-2.54.1	lighttpd-mod_webdav-1.4.20-2.54.1.ppc64.rpm
SUSE Linux Enterprise Software Development Kit	11.3	i586	lighttpd-mod_magnet	< 1.4.20-2.54.1	lighttpd-mod_magnet-1.4.20-2.54.1.i586.rpm
SUSE Linux Enterprise Software Development Kit	11.3	ppc64	lighttpd	< 1.4.20-2.54.1	lighttpd-1.4.20-2.54.1.ppc64.rpm
SUSE Linux Enterprise Software Development Kit	11.3	i586	lighttpd-mod_webdav	< 1.4.20-2.54.1	lighttpd-mod_webdav-1.4.20-2.54.1.i586.rpm
SUSE Linux Enterprise Software Development Kit	11.3	s390x	lighttpd-mod_magnet	< 1.4.20-2.54.1	lighttpd-mod_magnet-1.4.20-2.54.1.s390x.rpm
SUSE Linux Enterprise High Availability Extension	11.3	x86_64	lighttpd	< 1.4.20-2.54.1	lighttpd-1.4.20-2.54.1.x86_64.rpm
SUSE Linux Enterprise High Availability Extension	11.3	i586	lighttpd	< 1.4.20-2.54.1	lighttpd-1.4.20-2.54.1.i586.rpm
SUSE Linux Enterprise Software Development Kit	11.3	x86_64	lighttpd	< 1.4.20-2.54.1	lighttpd-1.4.20-2.54.1.x86_64.rpm
SUSE Linux Enterprise High Availability Extension	11.3	s390x	lighttpd	< 1.4.20-2.54.1	lighttpd-1.4.20-2.54.1.s390x.rpm