Debian Security Advisory
DSA-2877-1 lighttpd -- security update
- Date Reported:
- 12 Mar 2014
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 741493.
In Mitre's CVE dictionary: CVE-2014-2323, CVE-2014-2324.
- More information:
Several vulnerabilities were discovered in the lighttpd web server.
Jann Horn discovered that specially crafted host names can be used to inject arbitrary MySQL queries in lighttpd servers using the MySQL virtual hosting module (mod_mysql_vhost).
This only affects installations with the lighttpd-mod-mysql-vhost binary package installed and in use.
Jann Horn discovered that specially crafted host names can be used to traverse outside of the document root under certain situations in lighttpd servers using either the mod_mysql_vhost, mod_evhost, or mod_simple_vhost virtual hosting modules.
Servers not using these modules are not affected.
For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.6.
For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u3.
For the testing distribution (jessie), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in version 1.4.33-1+nmu3.
We recommend that you upgrade your lighttpd packages.