Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-583-1 lighttpd

Debian Security Advisory

DLA-583-1 lighttpd -- LTS security update

Date Reported:

03 Aug 2016

Affected Packages:

lighttpd

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 832571.
In Mitre's CVE dictionary: CVE-2016-1000212.

More information:

Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTP_PROXY environment variables. This could be used to carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary hosts.

For Debian 7 Wheezy, this issue has been fixed in version 1.4.31-4+deb7u5.

We recommend that you upgrade your lighttpd packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS