- ------------------------------------------------------------------------- Debian Security Advisory DSA-2877-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Michael Gilbert March 12, 2014 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lighttpd CVE ID : CVE-2014-2323 CVE-2014-2324 Debian Bug : 741493 Several vulnerabilities were discovered in the lighttpd web server. CVE-2014-2323 Jann Horn discovered that specially crafted host names can be used to inject arbitrary MySQL queries in lighttpd servers using the MySQL virtual hosting module (mod_mysql_vhost). This only affects installations with the lighttpd-mod-mysql-vhost binary package installed and in use. CVE-2014-2324 Jann Horn discovered that specially crafted host names can be used to traverse outside of the document root under certain situations in lighttpd servers using either the mod_mysql_vhost, mod_evhost, or mod_simple_vhost virtual hosting modules. Servers not using these modules are not affected. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.6. For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u3. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.4.33-1+nmu3. We recommend that you upgrade your lighttpd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
Debian: DSA-2877-1: lighttpd security update
Several vulnerabilities were discovered in the lighttpd web server. CVE-2014-2323
