drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in lighttpd
Name: |
Mehrere Probleme in lighttpd |
|
ID: |
200812-04 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Di, 2. Dezember 2008, 18:55 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360 |
|
Applikationen: |
lighttpd |
|
Originalnachricht |
--nextPart3038264.cWF8y7KNrt Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: lighttpd: Multiple vulnerabilities Date: December 02, 2008 Bugs: #238180 ID: 200812-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities in lighttpd may lead to information disclosure or a Denial of Service.
Background ==========
lighttpd is a lightweight high-performance web server.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/lighttpd < 1.4.20 >= 1.4.20
Description ===========
Multiple vulnerabilities have been reported in lighttpd:
* Qhy reported a memory leak in the http_request_parse() function in request.c (CVE-2008-4298).
* Gaetan Bisson reported that URIs are not decoded before applying url.redirect and url.rewrite rules (CVE-2008-4359).
* Anders1 reported that mod_userdir performs case-sensitive comparisons on filename components in configuration options, which is insufficient when case-insensitive filesystems are used (CVE-2008-4360).
Impact ======
A remote attacker could exploit these vulnerabilities to cause a Denial of Service, to bypass intended access restrictions, to obtain sensitive information, or to possibly modify data.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All lighttpd users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.20"
References ==========
[ 1 ] CVE-2008-4298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298 [ 2 ] CVE-2008-4359 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359 [ 3 ] CVE-2008-4360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200812-04.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
License =======
Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--nextPart3038264.cWF8y7KNrt Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJJNXFWAAoJECaaHo/OfoM5ZwwP/24V419TmAYxw0tbcglIKqde 9hfprTv2vCUhzla1pYSS5Kw3kuU9KSV7+ORsQu+YeN555W3HHz7gqi0j+pchaTFx CKugdoxSRlCo6qqMfAct53vqM7xBqei+VBwwpmsMd4nu43u/ltEWAZpdGK292YhG 6WJSrcg1aBoIyg0SYMJH1pb/WxI+F3R0xfFQC2dETif9lNFLU9cOpran9jQ7TkQd pNh76d2axoktWQH+V4i97ftI+MkjO0eI2p6p3G+jAsXikZo5Y7ep2ObLpGmm/Lgj lZG82h6m6Wp2Q87MWfHg2cXT48N9c428sFAypeophxvfagTnMl1cqRQa2XHv+bKC 0cDXa3ZKdwoMkQ/jVLN0l3AGu37evwitUgc1S6twtmGNOvz3BCytKfIUqQ6xzryy bCH2X1twvNuBSD7mSKI18q7/XTzQf+GESZfM6Eouu5N+VQBjH+ysv60DMf+Z2QNG s8WPTA8nTLFFcdSpWUfkMr79AKtaJl8s1Gl5ggxfGn8zE0SQLY3EFTgzoaGNJvoC eVwJPglqfARzHAqhOAXNpBIpd0NfWNAIeWFar2TB+x/Qh1beWraCD4iJSNrts0/1 q+vi2sAfV1H3TBXe/6+yDsNZ5lC9cRkJFic16SR+wWsxcExQ1S3QopCXtopnqCaA HT+k+rZp64rQkm00ccXq =1vkq -----END PGP SIGNATURE-----
--nextPart3038264.cWF8y7KNrt--
|
|
|
|