Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

openSUSE 13.1 & 12.3: 2014:0449-1 Critical: Lighttpd SQL Injection

opensuse
Calendar Grey March 26, 2014
Dist Opensuse Esm H88
The latest Lighttpd release for openSUSE addresses severe SQL injection vulnerabilities and directory traversal flaws, significantly improving system protection.
An update that fixes two vulnerabilities is now available

Description

lighttpd was updated to version 1.4.35, fixing bugs and

security issues:

CVE-2014-2323: SQL injection vulnerability in

mod_mysql_vhost.c in lighttpd allowed remote attackers to

execute arbitrary SQL commands via the host name, related

to request_check_hostname.

CVE-2014-2323: Multiple directory traversal vulnerabilities

in (1) mod_evhost and (2) mod_simple_vhost in lighttpd

allowed remote attackers to read arbitrary files via a ..

(dot dot) in the host name, related to

request_check_hostname.

More information can be found on the lighttpd advisory

page:

014_01.txt

Other changes:

* [network/ssl] fix build error if TLSEXT is disabled

* [mod_fastcgi] fix use after free (only triggered if

fastcgi debug is active)

* [mod_rrdtool] fix invalid read (string not null

terminated)

* [mod_dirlisting] fix memory leak if pcre fails

* [mod_fastcgi,mod_scgi] fix resource leaks on spawning

backends

* [mod_magnet] fix...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory critical issue security patch system update SQL injection lighttpd openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-257

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-257

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.1 (i586 x86_64):

lighttpd-1.4.35-2.9.1

lighttpd-debuginfo-1.4.35-2.9.1

lighttpd-debugsource-1.4.35-2.9.1

lighttpd-mod_cml-1.4.35-2.9.1

lighttpd-mod_cml-debuginfo-1.4.35-2.9.1

lighttpd-mod_geoip-1.4.35-2.9.1

lighttpd-mod_geoip-debuginfo-1.4.35-2.9.1

lighttpd-mod_magnet-1.4.35-2.9.1

lighttpd-mod_magnet-debuginfo-1.4.35-2.9.1

lighttpd-mod_mysql_vhost-1.4.35-2.9.1

lighttpd-mod_mysql_vhost-debuginfo-1.4.35-2.9.1

lighttpd-mod_rrdtool-1.4.35-2.9.1

lighttpd-mod_rrdtool-debuginfo-1.4.35-2.9.1

lighttpd-mod_trigger_b4_dl-1.4.35-2.9.1

lighttpd-mod_trigger_b4_dl-debuginfo-1.4.35-2.9.1

lighttpd-mod_webdav-1.4.35-2.9.1

lighttpd-mod_webdav-debuginfo-1.4.35-2.9.1

- openSUSE 12.3 (i586 x86_64):

lighttpd-1.4.35-6.9.1

lighttpd-debuginfo-1.4.35-6.9.1

lighttpd-debugsource-1.4.35-6.9.1

lighttpd-mod_cml-1.4.35-6.9.1

lighttpd-mod_cml-debuginfo-1.4.35-6.9.1

lighttpd-mod_geoip-1.4.35-6.9.1

lighttpd-mod_geoip-debuginfo-1.4.35-6.9.1

lighttpd-mod_magnet-1.4.35-6.9.1

lighttpd-mod_magnet-debuginfo-1.4.35-6.9.1

lighttpd-mod_mysql_v...

Read the Full Advisory

References

https://www.suse.com/security/cve/CVE-2014-2323.html

https://www.suse.com/security/cve/CVE-2014-2324.html

Severity
critical
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2014:0449-1
Rating: important
Affected Products: openSUSE 13.1 openSUSE 12.3 .

Topics%20covered

Topics Covered

security advisory critical issue security patch system update SQL injection lighttpd openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here