Date: 30 August 2007
References: ESB-2007.0758
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0655 -- [UNIX/Linux][Debian]
New lighttpd packages fix several vulnerabilities
30 August 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: lighttpd
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Impact: Denial of Service
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-3950 CVE-2007-3949 CVE-2007-3947
CVE-2007-3946
Original Bulletin: http://www.debian.org/security/2007/dsa-1362
Comment: This advisory references vulnerabilities in products which run on
platforms other than debian. It is recommended that administrators
running lighttpd check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1362 security@debian.org
http://www.debian.org/security/ Steve Kemp
August 29th, 2007 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : lighttpd
Vulnerability : various
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2007-3946
Debian Bug : 434888
Several vulnerabilities were discovered in lighttpd, a fast webserver with
minimal memory footprint. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2007-3946
The use of mod_auth could leave to a denial of service attack crashing
the webserver
CVE-2007-3947
The improper handling of repeated HTTP headers could cause a denial
of serve attack crashing the webserver.
CVE-2007-3949
A bug in mod_access potentially allows remote users to bypass
access restrictions via trailing slash characters.
CVE-2007-3950
On 32-bit platforms users may be able to create denial of service
attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or
mod_scgi.
For the stable distribution (etch), these problems have been fixed in version
1.4.13-4etch3.
For the unstable distribution (sid), these problems have been fixed in
version 1.4.16-1.
We recommend that you upgrade your lighttpd package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.dsc
Size/MD5 checksum: 1098 e759ee83cf22697f62b11df286973b7a
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.diff.gz
Size/MD5 checksum: 33811 259574ed674f31dd8c44dc46809656bb
Architecture independent packages:
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch3_all.deb
Size/MD5 checksum: 99376 c4ea0d3adca48f1c749b4c3e49293bba
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_alpha.deb
Size/MD5 checksum: 71460 8b25398ab656e85d82ef611d7110191c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_alpha.deb
Size/MD5 checksum: 64650 d023bc4775d81b0f0be9d56043d2d893
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_alpha.deb
Size/MD5 checksum: 318496 54eb4b6bdfcf41c72f5d3b2f8f91778d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_alpha.deb
Size/MD5 checksum: 59244 6098a74659117029c062132179e88a96
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_alpha.deb
Size/MD5 checksum: 60996 2c30d7179beeea97d1e868d34cc314c5
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_alpha.deb
Size/MD5 checksum: 64226 36bdb8c2ecbe874aaec676cd7c3992c9
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_amd64.deb
Size/MD5 checksum: 60664 8b1e4185d6961a8dd6823c90b698d1a0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_amd64.deb
Size/MD5 checksum: 63542 420d82c389da7a774118495eca87ae76
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_amd64.deb
Size/MD5 checksum: 58986 17e377ca088aaa2f5fcb84902eaa75da
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_amd64.deb
Size/MD5 checksum: 63870 02499705ef7a069be4df2fff55fbfd97
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_amd64.deb
Size/MD5 checksum: 297416 9931993931036ec2252d39cade28bc09
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_amd64.deb
Size/MD5 checksum: 70150 3665d99b3aa0153ad51168a392e3dbfd
arm architecture (ARM)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_arm.deb
Size/MD5 checksum: 62766 dfa6a35455776fd429420bdac95f3d6a
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_arm.deb
Size/MD5 checksum: 62624 87ad57adafd7dac22bace1b3f78c3a8d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_arm.deb
Size/MD5 checksum: 58522 e919dd7724d7ed3cbf69c06a07cda5c6
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_arm.deb
Size/MD5 checksum: 60450 d97c010d5a7a732d7b72b0999b1d2981
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_arm.deb
Size/MD5 checksum: 69582 6a73b105d5640f06676ed67f4f377702
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_arm.deb
Size/MD5 checksum: 288496 7d4e2ad91b8b4d5e7508112a2702e7a2
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_hppa.deb
Size/MD5 checksum: 72640 20e2a23db84c6087d2ceadf132237307
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_hppa.deb
Size/MD5 checksum: 59588 b2cf574224dc849bfe7c1ad9e4934c55
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_hppa.deb
Size/MD5 checksum: 65116 cb79c0db6b1d90fe0b5414707a982870
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_hppa.deb
Size/MD5 checksum: 323700 58b6d9a3e9f959109cebe9bd2568d084
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_hppa.deb
Size/MD5 checksum: 61438 5670fd8056e890cfcee290d9905c1c6a
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_hppa.deb
Size/MD5 checksum: 64662 e64d288444457ad1b39d6a6bf0744987
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_i386.deb
Size/MD5 checksum: 60440 e3423b0c025ba70a649f93afb67c1cff
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_i386.deb
Size/MD5 checksum: 286996 802f3844967326a42ab410578f1a2828
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_i386.deb
Size/MD5 checksum: 58648 af9b965e45f78ad92c8c77ca05e28e61
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_i386.deb
Size/MD5 checksum: 70006 2195971aa95082d9a67a0ade17bb16b0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_i386.deb
Size/MD5 checksum: 63114 f5796a135101dcc9c7f17ff4a2acfa54
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_i386.deb
Size/MD5 checksum: 63354 c5f753b53e66c8d07130625835378379
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_ia64.deb
Size/MD5 checksum: 60830 28f35d9770d96cbc7c3b08790ae363fc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_ia64.deb
Size/MD5 checksum: 66988 fc243d57a0019a596e4005e11f74c8d0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_ia64.deb
Size/MD5 checksum: 67148 60a0c56991502c957200179f6b1a5b80
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_ia64.deb
Size/MD5 checksum: 403080 414aa7e0a26ef46678d49e6a818f2c5f
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_ia64.deb
Size/MD5 checksum: 62702 1c554d315d8f1a2fd06ceffb8bdf4a09
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_ia64.deb
Size/MD5 checksum: 76696 1e0d1beac8bb36bf5c82da00271748d3
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_mips.deb
Size/MD5 checksum: 58958 3535829d49a0a3cf1675b430a7f86e61
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_mips.deb
Size/MD5 checksum: 63148 0811ae02e2b242dd8b6daa11f49ab357
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_mips.deb
Size/MD5 checksum: 63000 5f82b35e39c23618d616432c4fdf3d55
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_mips.deb
Size/MD5 checksum: 69676 4e46069f91751eaf40526eed244049af
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_mips.deb
Size/MD5 checksum: 60398 de38e5c12a8f2d5aab03d6dcb6c68fd4
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_mips.deb
Size/MD5 checksum: 296092 5cebdb3b6f4f300503dceec97ff5fdb1
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_mipsel.deb
Size/MD5 checksum: 69648 ffa762a3a4041eee374b9735b00102f7
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_mipsel.deb
Size/MD5 checksum: 60404 231b375e6591fbff5237fcfc560da580
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_mipsel.deb
Size/MD5 checksum: 63012 335f6be5702df10dd0832a7a513142e8
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_mipsel.deb
Size/MD5 checksum: 58930 09525411ab17b991b1b5da3ce0ef2271
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_mipsel.deb
Size/MD5 checksum: 296470 9e5d70e2dd6f5ad4fecdf25cc9e2be75
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_mipsel.deb
Size/MD5 checksum: 63188 5d8c22a4a7f7f5f2e992f738fff56fc7
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_powerpc.deb
Size/MD5 checksum: 60302 aa2ae5c7d472398201af510b2b98e8b7
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_powerpc.deb
Size/MD5 checksum: 62116 802c522b2b36c25beb043f1aab7f378c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_powerpc.deb
Size/MD5 checksum: 71404 bdbd879e21dd5dfad5123f15b98c85f7
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_powerpc.deb
Size/MD5 checksum: 64766 b53358fbebbfc721580ab21f4f568d53
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_powerpc.deb
Size/MD5 checksum: 323284 04c290e9fcb6480cc6c6ae0c1d73db3d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_powerpc.deb
Size/MD5 checksum: 65046 d528c07e0631710b11549a91257ddbd4
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_s390.deb
Size/MD5 checksum: 71002 17d6443af1d09e6d92d8e834110c8973
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_s390.deb
Size/MD5 checksum: 64282 b398dfadbb6fb510ad625e7dadfa61e3
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_s390.deb
Size/MD5 checksum: 59232 2917d6a60f6284120b1c48de4f2b9b9d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_s390.deb
Size/MD5 checksum: 306470 fe239b45d2201aeda34ad0395c881b74
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_s390.deb
Size/MD5 checksum: 60734 0be7bc114adaa57a0d533979cbb94455
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_s390.deb
Size/MD5 checksum: 63892 fdba3d63a19576948649939500d6df3c
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_sparc.deb
Size/MD5 checksum: 60178 f9742d8dbcd105ebe444c90debbc53c0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_sparc.deb
Size/MD5 checksum: 63058 90f636b132db3d505661cf1a21440e7b
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_sparc.deb
Size/MD5 checksum: 69528 8c2e7bfb821352516818b338ede170bd
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_sparc.deb
Size/MD5 checksum: 58524 c8c1a41cffbe1a0cf898c0540488f066
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_sparc.deb
Size/MD5 checksum: 63084 8bb0811dd25d02eec370038f565b9318
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_sparc.deb
Size/MD5 checksum: 283548 b3c07e7896284eee5e945bf3356f0144
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1eMGwM/Gs81MDZ0RAjlPAJ0a73GNSjqnAZLXHShXv/YR9QBX4gCfbOAf
9ZhJTEXyXEVx/YuhUtrY/BU=
=0v2S
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRtYaxyh9+71yA2DNAQLKaAQAgLQj0WoFtzqGo6OlJbtrln/CNySSZGgG
Tjjb67E28GBwS+C4i4NvtqMVHP39aYVLOoVJY6ZclvXUVLorgdCoH6YK8fr50ggG
TJhrGJ8fJhTS8vJWiFqFX2SsU2lvfjd1x5Pjk3KRySwLqm7xlK2T6JoUrULcfJk/
MmYHy08ZPsI=
=oxc1
-----END PGP SIGNATURE-----
|