[SECURITY] [DLA 583-1] lighttpd security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 583-1] lighttpd security update
From: "Santiago R.R." <santiagorr@riseup.net>
Date: Wed, 3 Aug 2016 08:05:32 +0200
Message-id: <[🔎] 20160803060531.w6h43ewjkwkbhmyr@riseup.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : lighttpd
Version        : 1.4.31-4+deb7u5
CVE ID         : CVE-2016-1000212
Debian Bug     : 832571

Dominic Scheirlinck and Scott Geary of Vend reported an insecure
behaviour in the lighttpd web server. Lighttpd assigned Proxy header
values from client requests to internal HTTP_PROXY environment
variables. This could be used to carry out Man in the Middle Attacks
(MIDM) or create connections to arbitrary hosts.

For Debian 7 "Wheezy", this issue has been fixed in version
1.4.31-4+deb7u5.

We recommend that you upgrade your lighttpd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 582-1] libidn security update
Next by Date: [SECURITY] [DLA 581-1] libreoffice security update
Previous by thread: [SECURITY] [DLA 582-1] libidn security update
Next by thread: [SECURITY] [DLA 581-1] libreoffice security update
Index(es):
- Date
- Thread