Debian Security Advisory

DLA-583-1 lighttpd -- LTS security update

Date Reported:
03 Aug 2016
Affected Packages:
lighttpd
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 832571.
In Mitre's CVE dictionary: CVE-2016-1000212.
More information:

Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTP_PROXY environment variables. This could be used to carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary hosts.

For Debian 7 Wheezy, this issue has been fixed in version 1.4.31-4+deb7u5.

We recommend that you upgrade your lighttpd packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS