Debians sikkerhedsbulletin

DSA-1609-1 lighttpd -- forskellige

Rapporteret den:

15. jul 2008

Berørte pakker:

lighttpd

Sårbar:

Referencer i sikkerhedsdatabaser:

I Debians fejlsporingssystem: Fejl 434888, Fejl 466663.
I Mitres CVE-ordbog: CVE-2008-0983, CVE-2007-3948.

Yderligere oplysninger:

Flere lokale og fjernudnytbare sårbarheder er opdaget i lighttpd, en hurtig webserver med minimalt hukommelsesforbrug.

Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

CVE-2008-0983
lighttpd 1.4.18, og muligvis andre version før 1.5.0, beregnede ikke på korrekt vis størrelsen på et fildescriptorarray, hvilket gjorde det muligt for fjernangribere at forårsage lammelsesangreb (denial of service, crash) gennem et stort antal forbindelser, hvilket udløste tilgang uden for grænserne.
CVE-2007-3948
connections.c i lighttpd før 1.4.16 kunne måske acceptere flere forbindelser, end det opsatte maksimum, hvilket gjorde det muligt for fjernangribere at forårsage et lammelsesangreb (mislykket assertion) gennem et stort antal forbindelser.

I den stabile distribution (etch), er disse problemer rettet i version 1.4.13-4etch9.

I den ustabile distribution (sid), er disse problemer rettet i version 1.4.18-2.

Vi anbefaler at du opgraderer din lighttpd-pakke.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9.dsc; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9.diff.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch9_all.deb
Alpha:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_alpha.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_alpha.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_alpha.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_alpha.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_alpha.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_amd64.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_amd64.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_amd64.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_amd64.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_amd64.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_arm.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_arm.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_arm.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_arm.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_arm.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_hppa.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_hppa.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_hppa.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_hppa.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_hppa.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_i386.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_i386.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_i386.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_i386.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_i386.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_i386.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_mips.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_mips.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_mips.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_mips.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_mips.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_mips.deb
PowerPC:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_powerpc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_powerpc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_powerpc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_powerpc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_powerpc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_s390.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_s390.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_s390.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_s390.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_s390.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch9_sparc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch9_sparc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch9_sparc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch9_sparc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch9_sparc.deb; http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch9_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.