Nom du paquet
lighttpd
Date
2013-11-21
Advisory ID
MDVSA-2013:277
Affected versions
MBS1 x86_64

Problem description

Updated lighttpd packages fix security vulnerabilities:

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL
ciphers, which makes it easier for remote attackers to hijack sessions
by inserting packets into the client-server data stream or obtain
sensitive information by sniffing the network (CVE-2013-4508).

In lighttpd before 1.4.34, if setuid() fails for any reason, for
instance if an environment limits the number of processes a user can
have and the target uid already is at the limit, lighttpd will run
as root. A user who can run CGI scripts could clone() often; in this
case a lighttpd restart would end up with lighttpd running as root,
and the CGI scripts would run as root too (CVE-2013-4559).

In lighttpd before 1.4.34, if fam is enabled and there are
directories reachable from configured doc roots and aliases on
which FAMMonitorDirectory fails, a remote client could trigger a DoS
(CVE-2013-4560).

Updated packages

MBS1 x86_64

 a6eec76f20484109e1a026d28f5dfd7b  mbs1/x86_64/lighttpd-1.4.30-6.2.mbs1.x86_64.rpm
 42ed704d681c1b7ea18bd1479b02edc7  mbs1/x86_64/lighttpd-mod_auth-1.4.30-6.2.mbs1.x86_64.rpm
 e458f80fc0bc8865c130088f1699d411  mbs1/x86_64/lighttpd-mod_cml-1.4.30-6.2.mbs1.x86_64.rpm
 d0c268fe2f179d8f7f142bd144a667b3  mbs1/x86_64/lighttpd-mod_compress-1.4.30-6.2.mbs1.x86_64.rpm
 8ac5333eb17158786c2f464359c69d99  mbs1/x86_64/lighttpd-mod_magnet-1.4.30-6.2.mbs1.x86_64.rpm
 9f21ed1714c5591f7edbbb01c0a81d8c  mbs1/x86_64/lighttpd-mod_mysql_vhost-1.4.30-6.2.mbs1.x86_64.rpm
 439b814ef94a37be3c7abe70f784306f  mbs1/x86_64/lighttpd-mod_trigger_b4_dl-1.4.30-6.2.mbs1.x86_64.rpm
 86270bb497c3af7bd4e305d969f5e512  mbs1/x86_64/lighttpd-mod_webdav-1.4.30-6.2.mbs1.x86_64.rpm 
 8f25c07b15081e7ce136682b24fafcf7  mbs1/SRPMS/lighttpd-1.4.30-6.2.mbs1.src.rpm

References