Security update for lighttpd (important)

2014-04-03T19:04:18
ID SUSE-SU-2014:0474-1
Type suse
Reporter Suse
Modified 2014-04-03T19:04:18

Description

The HTTP server lighttpd was updated to fix the following security issues:

  • CVE-2014-2323: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd allowed remote attackers to execute arbitrary SQL commands via the host name.
  • CVE-2014-2323: Multiple directory traversal vulnerabilities in mod_evhost and mod_simple_vhost in lighttpd allowed remote attackers to read arbitrary files via .. (dot dot) in the host name.

More information can be found on the lighttpd advisory page: <a rel="nofollow" href="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2">http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2</a> 014_01.txt <<a rel="nofollow" href="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_">http://download.lighttpd.net/lighttpd/security/lighttpd_sa_</a> 2014_01.txt>

Security Issues references:

  • CVE-2014-2323 <<a rel="nofollow" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323</a> >
  • CVE-2014-2324 <<a rel="nofollow" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324</a> >