<<< Date Index >>>     <<< Thread Index >>>

[SECURITY] [DSA-1645-1] New lighttpd packages fix various problems



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1645-1                  security@xxxxxxxxxx
http://www.debian.org/security/                               Steve Kemp
October 06, 2008                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : lighttpd
Vulnerability  : various
Problem type   : remote
Debian-specific: No
CVE Id(s)      : CVE-2008-4298 CVE-2008-4359 CVE-2008-4360

Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint. 

The Common Vulnerabilities and Exposures project identifies the following 
problems:

CVE-2008-4298
    A memory leak in the http_request_parse function could be used by
    remote attackers to cause lighttpd to consume memory, and cause a
    denial of service attack.

CVE-2008-4359
    Inconsistent handling of URL patterns could lead to the disclosure
    of resources a server administrator did not anticipate when using
    rewritten URLs.
    
CVE-2008-4360
    Upon file systems which don't handle case-insensitive paths differently
    it might be possible that unanticipated resources could be made available
    by mod_userdir.

For the stable distribution (etch), these problems have been fixed in version
1.4.13-4etch11.

For the unstable distribution (sid), these problems will be fixed shortly.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.dsc
    Size/MD5 checksum:     1108 d747ed7b2063ad6696064bf821c50a00
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.diff.gz
    Size/MD5 checksum:    38244 c6de19903fcf9972a3db86af50c3dfb6

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch11_all.deb
    Size/MD5 checksum:   100436 4b00f0a8ec894c84f01e0924121ddc16

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_amd64.deb
    Size/MD5 checksum:   298530 b1ebecc6e7bf459f367d7cd697cfc826
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_amd64.deb
    Size/MD5 checksum:    70718 17ccecf27a1fd3889cafbcf99b438959
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_amd64.deb
    Size/MD5 checksum:    64420 7eeeab5dac95d1318f7c0ccafdc88db3
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_amd64.deb
    Size/MD5 checksum:    59536 8c6c8f79f475e1168e7c6034fab19e7e
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_amd64.deb
    Size/MD5 checksum:    61266 51b5201427b3ef3b14f1fd8346a2be69
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_amd64.deb
    Size/MD5 checksum:    64070 d2558ad437f37b51370649f61bd594fa

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_arm.deb
    Size/MD5 checksum:    70076 9e71864930a9b029faa7d06cb83ad368
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_arm.deb
    Size/MD5 checksum:    61170 bf9adc9694e8079789f74c1ef7f159d7
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_arm.deb
    Size/MD5 checksum:    63226 613c8ac801f2897c61e9ff0e2da39e64
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_arm.deb
    Size/MD5 checksum:    59046 939e326f979ffd4ec524a37398a9a668
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_arm.deb
    Size/MD5 checksum:   287252 373373dbe20c5073e93e8ecb2a7c293e
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_arm.deb
    Size/MD5 checksum:    63434 b653d9e0dfefb364724ea7495cd98c39

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_hppa.deb
    Size/MD5 checksum:   324728 73b5dd3a1eeeeffd0f0b0190ff0cdf95
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_hppa.deb
    Size/MD5 checksum:    65224 046f3680fb5ded22085042cf0643311e
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_hppa.deb
    Size/MD5 checksum:    65712 918e553fb47bc57c8047ec1858399bcc
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_hppa.deb
    Size/MD5 checksum:    60226 8fc494d0eba0ec181acd276967f3bf6a
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_hppa.deb
    Size/MD5 checksum:    72628 b7b7512883bec97a11b68da12f0b0447
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_hppa.deb
    Size/MD5 checksum:    62188 bcab41cca185b771d91bac5b2b9d0d47

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_i386.deb
    Size/MD5 checksum:    61070 f6ea45c9b9ed3bd7f0d981e19d71fdf1
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_i386.deb
    Size/MD5 checksum:    63808 3bb9c5035f9a1e06ba9cb7af51e99a65
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_i386.deb
    Size/MD5 checksum:    71108 6ae8d10751c07ae66bff8bed2e17f715
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_i386.deb
    Size/MD5 checksum:   289948 72af5544b50eb7b28f0824d49cc46bd9
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_i386.deb
    Size/MD5 checksum:    64002 5ac520a0beb4b0049813d172da8e3c8c
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_i386.deb
    Size/MD5 checksum:    59390 f66da44a91b9dc4c733dfcfc493647f1

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_ia64.deb
    Size/MD5 checksum:    67894 5097db8cd6a61d6d6129b6e9b5c436e1
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_ia64.deb
    Size/MD5 checksum:    67744 20093c425950cc552b02dc1849003c12
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_ia64.deb
    Size/MD5 checksum:   403884 59b49d630c89b528fe46ea909dfc945c
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_ia64.deb
    Size/MD5 checksum:    61546 85f2515fd4b1d9789c4a29607cdf3f68
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_ia64.deb
    Size/MD5 checksum:    77444 7a4bf21dc0c64f18fde8ba5e437a19f7
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_ia64.deb
    Size/MD5 checksum:    63420 1b0da59a7d8d819f0fcedea756337824

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_mips.deb
    Size/MD5 checksum:    63074 1b8f8b706976a7050ce692a44c3235c2
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_mips.deb
    Size/MD5 checksum:    69648 5431ee8bb1b51afb606698a483375e07
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_mips.deb
    Size/MD5 checksum:   296954 7f0e552d9f0e8a8db5f85667b3b2442a
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_mips.deb
    Size/MD5 checksum:    58994 9774b5ec6521ac3585faa319ce987965
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_mips.deb
    Size/MD5 checksum:    62948 91c0a914100ce9247f145828dace542c
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_mips.deb
    Size/MD5 checksum:    60368 ac07e4609a5447335749290dd65b67d7

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_powerpc.deb
    Size/MD5 checksum:    72168 331b11ad7120113ad3868ee6caea7379
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_powerpc.deb
    Size/MD5 checksum:    62838 f0cd5f92e92ce7cf29c1492906ad2369
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_powerpc.deb
    Size/MD5 checksum:    65786 fdeb6f0bba353cf7bfe5e32628984e41
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_powerpc.deb
    Size/MD5 checksum:    65510 68d7c6a4deb32000d34767ef58b64618
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_powerpc.deb
    Size/MD5 checksum:   324380 6cb824c5f80fe7f5268321528bfeb0a0
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_powerpc.deb
    Size/MD5 checksum:    61026 ea46e63147d354f3e3c3bbf924de34b8

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_s390.deb
    Size/MD5 checksum:    64998 332bc6cc8b74acc9785083f8c04486eb
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_s390.deb
    Size/MD5 checksum:    71752 eb3be87d9bf983f15b01369d4cfe7ece
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_s390.deb
    Size/MD5 checksum:    59956 8e7b812b20a7c81a324dcc001c385722
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_s390.deb
    Size/MD5 checksum:   307788 11159eae7ab16e5e1e7a7be479beba42
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_s390.deb
    Size/MD5 checksum:    61444 3d8689c48093b15ce1aa41a8e64c0415
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_s390.deb
    Size/MD5 checksum:    64606 6df415487e8b951fc8394328640760dd

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_sparc.deb
    Size/MD5 checksum:    59346 673f046f66e2580edd7b78492ff90b82
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_sparc.deb
    Size/MD5 checksum:    61050 7d2fdcc70e4ddd86d2f3a7a66ed6c1f5
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_sparc.deb
    Size/MD5 checksum:    64032 8a1e6bc3aa8bfb27588706d606966898
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_sparc.deb
    Size/MD5 checksum:    63992 a11081ea69387ca39029aa5fcc6dfe34
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_sparc.deb
    Size/MD5 checksum:    70442 936290009a438ea0827cc281ae320496
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_sparc.deb
    Size/MD5 checksum:   283902 464cd3874bbbd4727d179f8bdf4710fa


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI6kriwM/Gs81MDZ0RArK/AJ42foKLAIkL/x9wizFoK/w1aTkV3QCeIcNs
0qPQ1pW14meXC4sRZPTGae8=
=cyqs
-----END PGP SIGNATURE-----