Debians sikkerhedsbulletin
DSA-1362-2 lighttpd -- flere sårbarheder
- Rapporteret den:
- 29. aug 2007
- Berørte pakker:
- lighttpd
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Debians fejlsporingssystem: Fejl 434888.
I Mitres CVE-ordbog: CVE-2007-3946, CVE-2007-3947, CVE-2007-3949, CVE-2007-3950, CVE-2007-4727. - Yderligere oplysninger:
-
Flere sårbarheder er opdaget i lighttpd, en hurtig webserver med minimalt hukommelsesforbrug, hvilket kunne gøre det muligt at udføre vilkårlig kode ved overløb af CGI-variable når mod_fcgi var aktiveret. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:
- CVE-2007-3946
Anvendelse af mod_auth kunne føre til et lammelsesangreb (denial of service), som fik webserveren til at gå ned.
- CVE-2007-3947
Ukorrekt håndtering af gentagne HTTP-headere kunne forårsage et lammelsesangreb, som fik webserveren til at gå ned.
- CVE-2007-3949
En fejl i mod_access gjorde det potentielt muligt for fjernbrugere at omgå adgangsbegrænsninger gennem afsluttende skråstreger (
/
). - CVE-2007-3950
På 32-bit-platforme, kunne brugerne måske iværksætte lammelsesangreb, der fik webserveren til at gå ned, gennem mod_webdav, mod_fastcgi eller mod_scgi.
I den stabile distribution (etch), er disse problemer rettet i version 1.4.13-4etch4.
I den ustabile distribution (sid), er disse problemer rettet i version 1.4.16-1.
Vi anbefaler at du opgraderer din lighttpd-pakke.
- CVE-2007-3946
- Rettet i:
-
Debian GNU/Linux 4.0 (etch)
- Kildekode:
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4.dsc
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4.diff.gz
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4.dsc
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch4_all.deb
- alpha architecture (DEC Alpha)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_alpha.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_alpha.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_alpha.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_alpha.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_alpha.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_alpha.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_alpha.deb
- amd64 architecture (AMD x86_64 (AMD64))
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_amd64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_amd64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_amd64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_amd64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_amd64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_amd64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_amd64.deb
- arm architecture (ARM)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_arm.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_arm.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_arm.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_arm.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_arm.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_arm.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_arm.deb
- hppa architecture (HP PA RISC)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_hppa.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_hppa.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_hppa.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_hppa.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_hppa.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_hppa.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_hppa.deb
- i386 architecture (Intel ia32)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_i386.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_i386.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_i386.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_i386.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_i386.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_i386.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_i386.deb
- ia64 architecture (Intel ia64)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_ia64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_ia64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_ia64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_ia64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_ia64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_ia64.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_ia64.deb
- mips architecture (MIPS (Big Endian))
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_mips.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_mips.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_mips.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_mips.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_mips.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_mips.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_mips.deb
- powerpc architecture (PowerPC)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_powerpc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_powerpc.deb
- sparc architecture (Sun SPARC/UltraSPARC)
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_sparc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_sparc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_sparc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_sparc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_sparc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_sparc.deb
- http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.