openSUSE 11.4: 2014:0496-1 Critical Alert for lighttpd SQL Injection

opensuse

April 8, 2014

An update that fixes two vulnerabilities is now available

Description

lighttpd was updated to version 1.4.35, fixing bugs and

security issues:

CVE-2014-2323: SQL injection vulnerability in

mod_mysql_vhost.c in lighttpd allowed remote attackers to

execute arbitrary SQL commands via the host name, related

to request_check_hostname.

CVE-2014-2323: Multiple directory traversal vulnerabilities

in (1) mod_evhost and (2) mod_simple_vhost in lighttpd

allowed remote attackers to read arbitrary files via a ..

(dot dot) in the host name, related to

request_check_hostname.

More information can be found on the lighttpd advisory

page:

014_01.txt

Other changes:

* [network/ssl] fix build error if TLSEXT is disabled

* [mod_fastcgi] fix use after free (only triggered if

fastcgi debug is active)

* [mod_rrdtool] fix invalid read (string not null

terminated)

* [mod_dirlisting] fix memory leak if pcre fails

* [mod_fastcgi,mod_scgi] fix resource leaks on spawning

backends

* [mod_magnet] fix memory...

Read the Full Advisory

Topics Covered

security advisory directory traversal security fix important SQL injection lighttpd openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 11.4:

zypper in -t patch 2014-44

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 11.4 (i586 x86_64):

lighttpd-1.4.35-41.1

lighttpd-debuginfo-1.4.35-41.1

lighttpd-debugsource-1.4.35-41.1

lighttpd-mod_cml-1.4.35-41.1

lighttpd-mod_cml-debuginfo-1.4.35-41.1

lighttpd-mod_geoip-1.4.35-41.1

lighttpd-mod_geoip-debuginfo-1.4.35-41.1

lighttpd-mod_magnet-1.4.35-41.1

lighttpd-mod_magnet-debuginfo-1.4.35-41.1

lighttpd-mod_mysql_vhost-1.4.35-41.1

lighttpd-mod_mysql_vhost-debuginfo-1.4.35-41.1

lighttpd-mod_rrdtool-1.4.35-41.1

lighttpd-mod_rrdtool-debuginfo-1.4.35-41.1

lighttpd-mod_trigger_b4_dl-1.4.35-41.1

lighttpd-mod_trigger_b4_dl-debuginfo-1.4.35-41.1

lighttpd-mod_webdav-1.4.35-41.1

lighttpd-mod_webdav-debuginfo-1.4.35-41.1

References

https://www.suse.com/security/cve/CVE-2014-2323.html

https://www.suse.com/security/cve/CVE-2014-2324.html

Severity

important

Lowest

Low

Medium

High

Critical

Announcement ID: openSUSE-SU-2014:0496-1

Rating: important

Affected Products: openSUSE 11.4 .

Topics Covered

security advisory directory traversal security fix important SQL injection lighttpd openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

openSUSE 11.4: 2014:0496-1 Critical Alert for lighttpd SQL Injection

Description

Topics Covered

Patch

Package List

References

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

openSUSE 11.4: 2014:0496-1 Critical Alert for lighttpd SQL Injection

Description

Topics Covered

Patch

Package List

References

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!