lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080316154509.GA21394@steve.org.uk>
Date: Sun, 16 Mar 2008 15:45:09 +0000
From: Steve Kemp <skx@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1521-1] New lighttpd packages fix arbitrary file disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1521-1                  security@...ian.org
http://www.debian.org/security/                               Steve Kemp
March 16, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : lighttpd
Vulnerability  : file disclosure
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-1270

Julien Cayzac discovered that under certain circumstances lighttpd,
a fast webserver with minimal memory footprint, might allow the reading
of arbitrary files from the system.  This problem could only occur
with a non-standard configuration.

For the stable distribution (etch), this problem has been fixed in 
version 1.4.13-4etch6.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6.dsc
    Size/MD5 checksum:     1098 3e5a62a7162734998177e8707d2dba02
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6.diff.gz
    Size/MD5 checksum:    37066 853e653e4b56e0065b7d072bfdb038b9

Architecture independent packages:

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch6_all.deb
    Size/MD5 checksum:    99510 38af003d4b49531a371c58eec8c92797

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    61252 f9a572ac4ece6cda80883e9ece59cf99
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    64492 6d0802043b33391abf217b605ade53c6
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:   318848 64225fd5e10a77386763b28a3fa6b310
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    71726 8797d97bd147f2f502741d790d42781e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    59494 5537c07a1bf16c607d42cbb24af35b0e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    64924 e179a9988bc2b04a0188301040f7eb02

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    60662 281bac93cddf6ed6fcd907dac5eb0720
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    69818 74394f7d4528636f962133efa4a738da
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    63506 b336b9d3d1836d2d06c5feaaefb8366e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    63806 6613f85008260c83222a2b5a8d183d50
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:   297130 9a00e9837f11cb5647491e28bf8da877
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    59060 1b1864819d7892f9dc1834ece83ba39f

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    62786 e91afeac0b95ae32d9c346bf8b56ff2b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    69506 928bd56baa76d302d2637c3edafa966a
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    58604 e060ddc287c0f62485c3b450f781a9c5
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:   286248 6915b4c299334a0aa608e69016579947
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    60736 c1dba99fad76965ea148addcedbe8d1e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    62996 441fe045d312d83cd9c0abfea000fd04

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    65382 9891f2e251cba3716cc7318244f12191
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    64926 32155b4baafa529b01f8fa93d35c1016
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:   324246 b391c9f49db494a231b2c6bbe6b0a17c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    61704 a445b749e09728bbcc7aa2810262c316
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    72912 f1b011512b9ffe681684aedc1100fd96
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    59856 e4d9e12d39cedc57301dec75d3f0f9bc

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    70858 38d84f5a4dc0b5e98d8c4d8753720721
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    59004 e89b0b96998623b78e0e756ecb5c64e5
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    63614 3f91b5416bade664bac825c5f55b1760
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    63810 f5c6a0fe13e228a2c97f7c0f9134139f
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:   288986 020ae1cd38f72be751c3d2339322e37d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    60764 6a866a4be8bb00bc89a19fd923892ac3

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    67428 8057dbf996587a0dab7dfb830149596a
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    67270 47e8df0e90b8a94399140f8e094cf193
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    76970 3ec5566bf7884996d3b2c1cff05934d3
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    62972 9eba69d6fbceecf7ab25847fe6123d45
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:   403368 49e9eeff7722157ec9240b693bdd7a8b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    61096 a431a7e8cc1ed5e7c03a986062a71cb6

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    59854 8a771e4cf424fc2db2ea32cc2e51e97b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:   296016 08c0da736b8529d6a76cfc3cd482b2e9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    62442 8f42b63450914e64e2eee69b4bdbfe90
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    69146 2bc52d53fb5fe04fb1252c31b280a418
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    62562 bd6ea27d76c2c61e3c744b4f9bdb00ce
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    58480 939cbd552f397780de40b834908b7130

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    69928 9ac409e25d6e7b9e4b1cb4ad13ed9632
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    60680 343e11ab45cab336396806f7f221945d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    63286 886e4bc3478309c1656f7d6bd977f2ed
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    59192 e4cc8d162b281518d52a739eb318f041
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:   297128 89cdce8b7cd2690e28b95c3d783c9154
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    63450 36f870435ee48223a8ced7e6613a169d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    60566 d4b1ad36213cbdf6065f239aa472b498
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    65034 845332f6d09f3f0692a6d18963dcfcc4
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    62380 6466c3be37fe7fe26f7e83b3c2ead222
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    65306 aaaefd16bdf02e178aee3343c18cc17d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    71682 a4bb5ec71a26f40b0a5cef12bb850a40
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:   323712 eb5edc0b82555ec99996121925c4d0ab

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    60994 4f546530cae504799f369f806d00eb51
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:   307112 25b76d9b1971949e8091e2c4c0430c58
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    64160 30ad6c09af94176abd6fb010ee66bb25
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    64548 c03eed9df63c727831ff4993703b98c0
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    71274 b8a2712beb266769a25219bcaccceeac
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    59486 706725ae2ff5257a52467e7db30c0a14

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    69798 d85012884750a5d423d2761f62dd2ec9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    60434 cad01450236fec8a2a57504aea63426c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    63344 ebf4c95b0d1cfc06e3d37afad107afd4
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    58776 76a058d44cef9963903648eefef0fa7a
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    63322 5d433e4a4b0801256be2170bf0ba3931
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:   284060 2c0aafcaa9c5490e8ae9f8e73d7b7a22


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH3UBKwM/Gs81MDZ0RAsM8AJ97j14YEKDhPSBO+U/jy5w7PuC6lwCfZVll
7AP9XfJ0dzNfHW7TA1k3PRk=
=BgLb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ