DSA-1645-1: New lighttpd packages fix various problems
Posted on: 10/06/2008 08:40 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1645-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
October 06, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : lighttpd
Vulnerability : various
Problem type : remote
Debian-specific: No
CVE Id(s) : CVE-2008-4298 CVE-2008-4359 CVE-2008-4360

Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2008-4298
A memory leak in the http_request_parse function could be used by
remote attackers to cause lighttpd to consume memory, and cause a
denial of service attack.

CVE-2008-4359
Inconsistent handling of URL patterns could lead to the disclosure
of resources a server administrator did not anticipate when using
rewritten URLs.

CVE-2008-4360
Upon file systems which don't handle case-insensitive paths differently
it might be possible that unanticipated resources could be made available
by mod_userdir.

For the stable distribution (etch), these problems have been fixed in version
1.4.13-4etch11.

For the unstable distribution (sid), these problems will be fixed shortly.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.dsc
Size/MD5 checksum: 1108 d747ed7b2063ad6696064bf821c50a00
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.diff.gz
Size/MD5 checksum: 38244 c6de19903fcf9972a3db86af50c3dfb6

Architecture independent packages:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch11_all.deb
Size/MD5 checksum: 100436 4b00f0a8ec894c84f01e0924121ddc16

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 298530 b1ebecc6e7bf459f367d7cd697cfc826
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 70718 17ccecf27a1fd3889cafbcf99b438959
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 64420 7eeeab5dac95d1318f7c0ccafdc88db3
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 59536 8c6c8f79f475e1168e7c6034fab19e7e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 61266 51b5201427b3ef3b14f1fd8346a2be69
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 64070 d2558ad437f37b51370649f61bd594fa

arm architecture (ARM)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 70076 9e71864930a9b029faa7d06cb83ad368
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 61170 bf9adc9694e8079789f74c1ef7f159d7
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 63226 613c8ac801f2897c61e9ff0e2da39e64
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 59046 939e326f979ffd4ec524a37398a9a668
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 287252 373373dbe20c5073e93e8ecb2a7c293e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 63434 b653d9e0dfefb364724ea7495cd98c39

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 324728 73b5dd3a1eeeeffd0f0b0190ff0cdf95
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 65224 046f3680fb5ded22085042cf0643311e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 65712 918e553fb47bc57c8047ec1858399bcc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 60226 8fc494d0eba0ec181acd276967f3bf6a
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 72628 b7b7512883bec97a11b68da12f0b0447
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 62188 bcab41cca185b771d91bac5b2b9d0d47

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 61070 f6ea45c9b9ed3bd7f0d981e19d71fdf1
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 63808 3bb9c5035f9a1e06ba9cb7af51e99a65
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 71108 6ae8d10751c07ae66bff8bed2e17f715
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 289948 72af5544b50eb7b28f0824d49cc46bd9
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 64002 5ac520a0beb4b0049813d172da8e3c8c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 59390 f66da44a91b9dc4c733dfcfc493647f1

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_ia64.deb
Size/MD5 checksum: 67894 5097db8cd6a61d6d6129b6e9b5c436e1
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_ia64.deb
Size/MD5 checksum: 67744 20093c425950cc552b02dc1849003c12
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_ia64.deb
Size/MD5 checksum: 403884 59b49d630c89b528fe46ea909dfc945c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_ia64.deb
Size/MD5 checksum: 61546 85f2515fd4b1d9789c4a29607cdf3f68
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_ia64.deb
Size/MD5 checksum: 77444 7a4bf21dc0c64f18fde8ba5e437a19f7
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_ia64.deb
Size/MD5 checksum: 63420 1b0da59a7d8d819f0fcedea756337824

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_mips.deb
Size/MD5 checksum: 63074 1b8f8b706976a7050ce692a44c3235c2
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_mips.deb
Size/MD5 checksum: 69648 5431ee8bb1b51afb606698a483375e07
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_mips.deb
Size/MD5 checksum: 296954 7f0e552d9f0e8a8db5f85667b3b2442a
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_mips.deb
Size/MD5 checksum: 58994 9774b5ec6521ac3585faa319ce987965
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_mips.deb
Size/MD5 checksum: 62948 91c0a914100ce9247f145828dace542c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_mips.deb
Size/MD5 checksum: 60368 ac07e4609a5447335749290dd65b67d7

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_powerpc.deb
Size/MD5 checksum: 72168 331b11ad7120113ad3868ee6caea7379
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_powerpc.deb
Size/MD5 checksum: 62838 f0cd5f92e92ce7cf29c1492906ad2369
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_powerpc.deb
Size/MD5 checksum: 65786 fdeb6f0bba353cf7bfe5e32628984e41
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_powerpc.deb
Size/MD5 checksum: 65510 68d7c6a4deb32000d34767ef58b64618
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_powerpc.deb
Size/MD5 checksum: 324380 6cb824c5f80fe7f5268321528bfeb0a0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_powerpc.deb
Size/MD5 checksum: 61026 ea46e63147d354f3e3c3bbf924de34b8

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_s390.deb
Size/MD5 checksum: 64998 332bc6cc8b74acc9785083f8c04486eb
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_s390.deb
Size/MD5 checksum: 71752 eb3be87d9bf983f15b01369d4cfe7ece
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_s390.deb
Size/MD5 checksum: 59956 8e7b812b20a7c81a324dcc001c385722
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_s390.deb
Size/MD5 checksum: 307788 11159eae7ab16e5e1e7a7be479beba42
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_s390.deb
Size/MD5 checksum: 61444 3d8689c48093b15ce1aa41a8e64c0415
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_s390.deb
Size/MD5 checksum: 64606 6df415487e8b951fc8394328640760dd

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_sparc.deb
Size/MD5 checksum: 59346 673f046f66e2580edd7b78492ff90b82
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_sparc.deb
Size/MD5 checksum: 61050 7d2fdcc70e4ddd86d2f3a7a66ed6c1f5
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_sparc.deb
Size/MD5 checksum: 64032 8a1e6bc3aa8bfb27588706d606966898
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_sparc.deb
Size/MD5 checksum: 63992 a11081ea69387ca39029aa5fcc6dfe34
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_sparc.deb
Size/MD5 checksum: 70442 936290009a438ea0827cc281ae320496
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_sparc.deb
Size/MD5 checksum: 283902 464cd3874bbbd4727d179f8bdf4710fa


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI6kriwM/Gs81MDZ0RArK/AJ42foKLAIkL/x9wizFoK/w1aTkV3QCeIcNs
0qPQ1pW14meXC4sRZPTGae8=
=cyqs
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1645_1_new_lighttpd_packages_fix_various_problems.html)