Debian Security Advisory
DLA-583-1 lighttpd -- LTS security update
- Date Reported:
- 03 Aug 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 832571.
In Mitre's CVE dictionary: CVE-2016-1000212.
- More information:
Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTP_PROXY environment variables. This could be used to carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary hosts.
For Debian 7
Wheezy, this issue has been fixed in version 1.4.31-4+deb7u5.
We recommend that you upgrade your lighttpd packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS