Search This Blog

Wednesday, August 29, 2007

[SECURITY] [DSA 1362-1] New lighttpd packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------------------------------------------------------------------------
Debian Security Advisory DSA-1362 security@debian.org
http://www.debian.org/security/

Steve Kemp
August 29th, 2007

http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : lighttpd
Vulnerability : various
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2007-3946
Debian Bug : 434888

Several vulnerabilities were discovered in lighttpd, a fast webserver with
minimal memory footprint. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2007-3946

The use of mod_auth could leave to a denial of service attack crashing
the webserver

CVE-2007-3947

The improper handling of repeated HTTP headers could cause a denial
of serve attack crashing the webserver.

CVE-2007-3949

A bug in mod_access potentially allows remote users to bypass
access restrictions via trailing slash characters.

CVE-2007-3950

On 32-bit platforms users may be able to create denial of service
attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or
mod_scgi.


For the stable distribution (etch), these problems have been fixed in version
1.4.13-4etch3.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.16-1.

We recommend that you upgrade your lighttpd package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz

Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.dsc

Size/MD5 checksum: 1098 e759ee83cf22697f62b11df286973b7a

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.diff.gz

Size/MD5 checksum: 33811 259574ed674f31dd8c44dc46809656bb

Architecture independent packages:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch3_all.deb

Size/MD5 checksum: 99376 c4ea0d3adca48f1c749b4c3e49293bba

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_alpha.deb

Size/MD5 checksum: 71460 8b25398ab656e85d82ef611d7110191c

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_alpha.deb

Size/MD5 checksum: 64650 d023bc4775d81b0f0be9d56043d2d893

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_alpha.deb

Size/MD5 checksum: 318496 54eb4b6bdfcf41c72f5d3b2f8f91778d

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_alpha.deb

Size/MD5 checksum: 59244 6098a74659117029c062132179e88a96

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_alpha.deb

Size/MD5 checksum: 60996 2c30d7179beeea97d1e868d34cc314c5

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_alpha.deb

Size/MD5 checksum: 64226 36bdb8c2ecbe874aaec676cd7c3992c9

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_amd64.deb

Size/MD5 checksum: 60664 8b1e4185d6961a8dd6823c90b698d1a0

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_amd64.deb

Size/MD5 checksum: 63542 420d82c389da7a774118495eca87ae76

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_amd64.deb

Size/MD5 checksum: 58986 17e377ca088aaa2f5fcb84902eaa75da

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_amd64.deb

Size/MD5 checksum: 63870 02499705ef7a069be4df2fff55fbfd97

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_amd64.deb

Size/MD5 checksum: 297416 9931993931036ec2252d39cade28bc09

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_amd64.deb

Size/MD5 checksum: 70150 3665d99b3aa0153ad51168a392e3dbfd

arm architecture (ARM)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_arm.deb

Size/MD5 checksum: 62766 dfa6a35455776fd429420bdac95f3d6a

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_arm.deb

Size/MD5 checksum: 62624 87ad57adafd7dac22bace1b3f78c3a8d

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_arm.deb

Size/MD5 checksum: 58522 e919dd7724d7ed3cbf69c06a07cda5c6

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_arm.deb

Size/MD5 checksum: 60450 d97c010d5a7a732d7b72b0999b1d2981

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_arm.deb

Size/MD5 checksum: 69582 6a73b105d5640f06676ed67f4f377702

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_arm.deb

Size/MD5 checksum: 288496 7d4e2ad91b8b4d5e7508112a2702e7a2

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_hppa.deb

Size/MD5 checksum: 72640 20e2a23db84c6087d2ceadf132237307

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_hppa.deb

Size/MD5 checksum: 59588 b2cf574224dc849bfe7c1ad9e4934c55

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_hppa.deb

Size/MD5 checksum: 65116 cb79c0db6b1d90fe0b5414707a982870

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_hppa.deb

Size/MD5 checksum: 323700 58b6d9a3e9f959109cebe9bd2568d084

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_hppa.deb

Size/MD5 checksum: 61438 5670fd8056e890cfcee290d9905c1c6a

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_hppa.deb

Size/MD5 checksum: 64662 e64d288444457ad1b39d6a6bf0744987

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_i386.deb

Size/MD5 checksum: 60440 e3423b0c025ba70a649f93afb67c1cff

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_i386.deb

Size/MD5 checksum: 286996 802f3844967326a42ab410578f1a2828

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_i386.deb

Size/MD5 checksum: 58648 af9b965e45f78ad92c8c77ca05e28e61

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_i386.deb

Size/MD5 checksum: 70006 2195971aa95082d9a67a0ade17bb16b0

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_i386.deb

Size/MD5 checksum: 63114 f5796a135101dcc9c7f17ff4a2acfa54

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_i386.deb

Size/MD5 checksum: 63354 c5f753b53e66c8d07130625835378379

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_ia64.deb

Size/MD5 checksum: 60830 28f35d9770d96cbc7c3b08790ae363fc

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_ia64.deb

Size/MD5 checksum: 66988 fc243d57a0019a596e4005e11f74c8d0

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_ia64.deb

Size/MD5 checksum: 67148 60a0c56991502c957200179f6b1a5b80

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_ia64.deb

Size/MD5 checksum: 403080 414aa7e0a26ef46678d49e6a818f2c5f

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_ia64.deb

Size/MD5 checksum: 62702 1c554d315d8f1a2fd06ceffb8bdf4a09

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_ia64.deb

Size/MD5 checksum: 76696 1e0d1beac8bb36bf5c82da00271748d3

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_mips.deb

Size/MD5 checksum: 58958 3535829d49a0a3cf1675b430a7f86e61

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_mips.deb

Size/MD5 checksum: 63148 0811ae02e2b242dd8b6daa11f49ab357

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_mips.deb

Size/MD5 checksum: 63000 5f82b35e39c23618d616432c4fdf3d55

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_mips.deb

Size/MD5 checksum: 69676 4e46069f91751eaf40526eed244049af

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_mips.deb

Size/MD5 checksum: 60398 de38e5c12a8f2d5aab03d6dcb6c68fd4

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_mips.deb

Size/MD5 checksum: 296092 5cebdb3b6f4f300503dceec97ff5fdb1

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_mipsel.deb

Size/MD5 checksum: 69648 ffa762a3a4041eee374b9735b00102f7

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_mipsel.deb

Size/MD5 checksum: 60404 231b375e6591fbff5237fcfc560da580

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_mipsel.deb

Size/MD5 checksum: 63012 335f6be5702df10dd0832a7a513142e8

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_mipsel.deb

Size/MD5 checksum: 58930 09525411ab17b991b1b5da3ce0ef2271

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_mipsel.deb

Size/MD5 checksum: 296470 9e5d70e2dd6f5ad4fecdf25cc9e2be75

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_mipsel.deb

Size/MD5 checksum: 63188 5d8c22a4a7f7f5f2e992f738fff56fc7

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_powerpc.deb

Size/MD5 checksum: 60302 aa2ae5c7d472398201af510b2b98e8b7

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_powerpc.deb

Size/MD5 checksum: 62116 802c522b2b36c25beb043f1aab7f378c

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_powerpc.deb

Size/MD5 checksum: 71404 bdbd879e21dd5dfad5123f15b98c85f7

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_powerpc.deb

Size/MD5 checksum: 64766 b53358fbebbfc721580ab21f4f568d53

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_powerpc.deb

Size/MD5 checksum: 323284 04c290e9fcb6480cc6c6ae0c1d73db3d

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_powerpc.deb

Size/MD5 checksum: 65046 d528c07e0631710b11549a91257ddbd4

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_s390.deb

Size/MD5 checksum: 71002 17d6443af1d09e6d92d8e834110c8973

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_s390.deb

Size/MD5 checksum: 64282 b398dfadbb6fb510ad625e7dadfa61e3

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_s390.deb

Size/MD5 checksum: 59232 2917d6a60f6284120b1c48de4f2b9b9d

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_s390.deb

Size/MD5 checksum: 306470 fe239b45d2201aeda34ad0395c881b74

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_s390.deb

Size/MD5 checksum: 60734 0be7bc114adaa57a0d533979cbb94455

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_s390.deb

Size/MD5 checksum: 63892 fdba3d63a19576948649939500d6df3c

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_sparc.deb

Size/MD5 checksum: 60178 f9742d8dbcd105ebe444c90debbc53c0

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_sparc.deb

Size/MD5 checksum: 63058 90f636b132db3d505661cf1a21440e7b

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_sparc.deb

Size/MD5 checksum: 69528 8c2e7bfb821352516818b338ede170bd

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_sparc.deb

Size/MD5 checksum: 58524 c8c1a41cffbe1a0cf898c0540488f066

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_sparc.deb

Size/MD5 checksum: 63084 8bb0811dd25d02eec370038f565b9318

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_sparc.deb

Size/MD5 checksum: 283548 b3c07e7896284eee5e945bf3356f0144


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1eMGwM/Gs81MDZ0RAjlPAJ0a73GNSjqnAZLXHShXv/YR9QBX4gCfbOAf
9ZhJTEXyXEVx/YuhUtrY/BU=
=0v2S
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: