Debian: New lighttpd packages fix several vulnerabilities

    Date 29 Aug 2007
    3857
    Posted By LinuxSecurity Advisories
    Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint. The use of mod_auth could leave to a denial of service attack crashing the webserver.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1362                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                               Steve Kemp
    August 29th, 2007                     https://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : lighttpd
    Vulnerability  : various
    Problem type   : local/remote
    Debian-specific: no
    CVE Id(s)      : CVE-2007-3946
    Debian Bug     : 434888
    
    Several vulnerabilities were discovered in lighttpd, a fast webserver with
    minimal memory footprint.  The Common Vulnerabilities and Exposures project
    identifies the following problems:
    
    CVE-2007-3946
    
        The use of mod_auth could leave to a denial of service attack crashing
        the webserver
    
    CVE-2007-3947
    
        The improper handling of repeated HTTP headers could cause a denial
        of serve attack crashing the webserver.
    
    CVE-2007-3949
    
        A bug in mod_access potentially allows remote users to bypass
        access restrictions via trailing slash characters.
    
    CVE-2007-3950
    
        On 32-bit platforms users may be able to create denial of service
        attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or
        mod_scgi.
    
    
    For the stable distribution (etch), these problems have been fixed in version
    1.4.13-4etch3.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.4.16-1.
    
    We recommend that you upgrade your lighttpd package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
        Size/MD5 checksum:   793309 3a64323b8482b0e8a6246dbfdb4c39dc
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.dsc
        Size/MD5 checksum:     1098 e759ee83cf22697f62b11df286973b7a
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.diff.gz
        Size/MD5 checksum:    33811 259574ed674f31dd8c44dc46809656bb
    
    Architecture independent packages:
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch3_all.deb
        Size/MD5 checksum:    99376 c4ea0d3adca48f1c749b4c3e49293bba
    
    alpha architecture (DEC Alpha)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_alpha.deb
        Size/MD5 checksum:    71460 8b25398ab656e85d82ef611d7110191c
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_alpha.deb
        Size/MD5 checksum:    64650 d023bc4775d81b0f0be9d56043d2d893
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_alpha.deb
        Size/MD5 checksum:   318496 54eb4b6bdfcf41c72f5d3b2f8f91778d
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_alpha.deb
        Size/MD5 checksum:    59244 6098a74659117029c062132179e88a96
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_alpha.deb
        Size/MD5 checksum:    60996 2c30d7179beeea97d1e868d34cc314c5
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_alpha.deb
        Size/MD5 checksum:    64226 36bdb8c2ecbe874aaec676cd7c3992c9
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_amd64.deb
        Size/MD5 checksum:    60664 8b1e4185d6961a8dd6823c90b698d1a0
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_amd64.deb
        Size/MD5 checksum:    63542 420d82c389da7a774118495eca87ae76
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_amd64.deb
        Size/MD5 checksum:    58986 17e377ca088aaa2f5fcb84902eaa75da
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_amd64.deb
        Size/MD5 checksum:    63870 02499705ef7a069be4df2fff55fbfd97
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_amd64.deb
        Size/MD5 checksum:   297416 9931993931036ec2252d39cade28bc09
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_amd64.deb
        Size/MD5 checksum:    70150 3665d99b3aa0153ad51168a392e3dbfd
    
    arm architecture (ARM)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_arm.deb
        Size/MD5 checksum:    62766 dfa6a35455776fd429420bdac95f3d6a
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_arm.deb
        Size/MD5 checksum:    62624 87ad57adafd7dac22bace1b3f78c3a8d
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_arm.deb
        Size/MD5 checksum:    58522 e919dd7724d7ed3cbf69c06a07cda5c6
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_arm.deb
        Size/MD5 checksum:    60450 d97c010d5a7a732d7b72b0999b1d2981
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_arm.deb
        Size/MD5 checksum:    69582 6a73b105d5640f06676ed67f4f377702
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_arm.deb
        Size/MD5 checksum:   288496 7d4e2ad91b8b4d5e7508112a2702e7a2
    
    hppa architecture (HP PA RISC)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_hppa.deb
        Size/MD5 checksum:    72640 20e2a23db84c6087d2ceadf132237307
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_hppa.deb
        Size/MD5 checksum:    59588 b2cf574224dc849bfe7c1ad9e4934c55
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_hppa.deb
        Size/MD5 checksum:    65116 cb79c0db6b1d90fe0b5414707a982870
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_hppa.deb
        Size/MD5 checksum:   323700 58b6d9a3e9f959109cebe9bd2568d084
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_hppa.deb
        Size/MD5 checksum:    61438 5670fd8056e890cfcee290d9905c1c6a
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_hppa.deb
        Size/MD5 checksum:    64662 e64d288444457ad1b39d6a6bf0744987
    
    i386 architecture (Intel ia32)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_i386.deb
        Size/MD5 checksum:    60440 e3423b0c025ba70a649f93afb67c1cff
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_i386.deb
        Size/MD5 checksum:   286996 802f3844967326a42ab410578f1a2828
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_i386.deb
        Size/MD5 checksum:    58648 af9b965e45f78ad92c8c77ca05e28e61
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_i386.deb
        Size/MD5 checksum:    70006 2195971aa95082d9a67a0ade17bb16b0
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_i386.deb
        Size/MD5 checksum:    63114 f5796a135101dcc9c7f17ff4a2acfa54
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_i386.deb
        Size/MD5 checksum:    63354 c5f753b53e66c8d07130625835378379
    
    ia64 architecture (Intel ia64)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_ia64.deb
        Size/MD5 checksum:    60830 28f35d9770d96cbc7c3b08790ae363fc
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_ia64.deb
        Size/MD5 checksum:    66988 fc243d57a0019a596e4005e11f74c8d0
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_ia64.deb
        Size/MD5 checksum:    67148 60a0c56991502c957200179f6b1a5b80
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_ia64.deb
        Size/MD5 checksum:   403080 414aa7e0a26ef46678d49e6a818f2c5f
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_ia64.deb
        Size/MD5 checksum:    62702 1c554d315d8f1a2fd06ceffb8bdf4a09
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_ia64.deb
        Size/MD5 checksum:    76696 1e0d1beac8bb36bf5c82da00271748d3
    
    mips architecture (MIPS (Big Endian))
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_mips.deb
        Size/MD5 checksum:    58958 3535829d49a0a3cf1675b430a7f86e61
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_mips.deb
        Size/MD5 checksum:    63148 0811ae02e2b242dd8b6daa11f49ab357
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_mips.deb
        Size/MD5 checksum:    63000 5f82b35e39c23618d616432c4fdf3d55
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_mips.deb
        Size/MD5 checksum:    69676 4e46069f91751eaf40526eed244049af
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_mips.deb
        Size/MD5 checksum:    60398 de38e5c12a8f2d5aab03d6dcb6c68fd4
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_mips.deb
        Size/MD5 checksum:   296092 5cebdb3b6f4f300503dceec97ff5fdb1
    
    mipsel architecture (MIPS (Little Endian))
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_mipsel.deb
        Size/MD5 checksum:    69648 ffa762a3a4041eee374b9735b00102f7
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_mipsel.deb
        Size/MD5 checksum:    60404 231b375e6591fbff5237fcfc560da580
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_mipsel.deb
        Size/MD5 checksum:    63012 335f6be5702df10dd0832a7a513142e8
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_mipsel.deb
        Size/MD5 checksum:    58930 09525411ab17b991b1b5da3ce0ef2271
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_mipsel.deb
        Size/MD5 checksum:   296470 9e5d70e2dd6f5ad4fecdf25cc9e2be75
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_mipsel.deb
        Size/MD5 checksum:    63188 5d8c22a4a7f7f5f2e992f738fff56fc7
    
    powerpc architecture (PowerPC)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_powerpc.deb
        Size/MD5 checksum:    60302 aa2ae5c7d472398201af510b2b98e8b7
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_powerpc.deb
        Size/MD5 checksum:    62116 802c522b2b36c25beb043f1aab7f378c
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_powerpc.deb
        Size/MD5 checksum:    71404 bdbd879e21dd5dfad5123f15b98c85f7
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_powerpc.deb
        Size/MD5 checksum:    64766 b53358fbebbfc721580ab21f4f568d53
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_powerpc.deb
        Size/MD5 checksum:   323284 04c290e9fcb6480cc6c6ae0c1d73db3d
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_powerpc.deb
        Size/MD5 checksum:    65046 d528c07e0631710b11549a91257ddbd4
    
    s390 architecture (IBM S/390)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_s390.deb
        Size/MD5 checksum:    71002 17d6443af1d09e6d92d8e834110c8973
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_s390.deb
        Size/MD5 checksum:    64282 b398dfadbb6fb510ad625e7dadfa61e3
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_s390.deb
        Size/MD5 checksum:    59232 2917d6a60f6284120b1c48de4f2b9b9d
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_s390.deb
        Size/MD5 checksum:   306470 fe239b45d2201aeda34ad0395c881b74
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_s390.deb
        Size/MD5 checksum:    60734 0be7bc114adaa57a0d533979cbb94455
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_s390.deb
        Size/MD5 checksum:    63892 fdba3d63a19576948649939500d6df3c
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_sparc.deb
        Size/MD5 checksum:    60178 f9742d8dbcd105ebe444c90debbc53c0
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_sparc.deb
        Size/MD5 checksum:    63058 90f636b132db3d505661cf1a21440e7b
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_sparc.deb
        Size/MD5 checksum:    69528 8c2e7bfb821352516818b338ede170bd
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_sparc.deb
        Size/MD5 checksum:    58524 c8c1a41cffbe1a0cf898c0540488f066
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_sparc.deb
        Size/MD5 checksum:    63084 8bb0811dd25d02eec370038f565b9318
      https://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_sparc.deb
        Size/MD5 checksum:   283548 b3c07e7896284eee5e945bf3356f0144
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb https://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    LinuxSecurity Poll

    If you are using full-disk encryption: are you concerned about the resulting performance hit?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/34-if-you-are-using-full-disk-encryption-are-you-concerned-about-the-resulting-performance-hit?task=poll.vote&format=json
    34
    radio
    [{"id":"120","title":"Yes","votes":"13","type":"x","order":"1","pct":65,"resources":[]},{"id":"121","title":"No ","votes":"7","type":"x","order":"2","pct":35,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.