Debian Security Advisory
DSA-2877-1 lighttpd -- security update
- Date Reported:
- 12 Mar 2014
- Affected Packages:
- lighttpd
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 741493.
In Mitre's CVE dictionary: CVE-2014-2323, CVE-2014-2324. - More information:
-
Several vulnerabilities were discovered in the lighttpd web server.
- CVE-2014-2323
Jann Horn discovered that specially crafted host names can be used to inject arbitrary MySQL queries in lighttpd servers using the MySQL virtual hosting module (mod_mysql_vhost).
This only affects installations with the lighttpd-mod-mysql-vhost binary package installed and in use.
- CVE-2014-2324
Jann Horn discovered that specially crafted host names can be used to traverse outside of the document root under certain situations in lighttpd servers using either the mod_mysql_vhost, mod_evhost, or mod_simple_vhost virtual hosting modules.
Servers not using these modules are not affected.
For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.6.
For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u3.
For the testing distribution (jessie), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in version 1.4.33-1+nmu3.
We recommend that you upgrade your lighttpd packages.
- CVE-2014-2323