lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46291885.9030904@foresightlinux.org>
Date: Fri, 20 Apr 2007 15:46:13 -0400
From: Foresight Linux Essential Announcement Service
	<foresight-security-noreply@...esightlinux.org>
To: foresight-security-announce@...ts.rpath.org
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: FLEA-2007-0011-1: lighttpd

Foresight Linux Essential Advisory: 2007-0011-1
Published: 2007-04-20

Rating: Moderate

Updated Versions:
     lighttpd=/conary.rpath.com@rpl:devel//1/1.4.15-0.1-1
     group-dist=/foresight.rpath.org@fl:1-devel//1/1.2.1-0.1-3

References:
     https://issues.rpath.com/browse/RPL-1218
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1869
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1870

Description:
     Previous versions of the lighttpd package are vulnerable to two denial of 
service attacks.  One is a remote denial of service that can cause lighttpd to 
consume all available CPU time and stop serving requests, and the other is a 
denial of service attack which generally requires a local user to create a file 
with an mtime of 0; the lighttpd daemon will crash when attempting to serve that 
file. This crash does not enable any arbitrary or directed code execution; 
however, since the rAA service (Foresight System Manager) uses lighttpd by 
default, and rAA is configured to start by default, all Foresight systems are 
vulnerable to this DoS by default. Once lighttpd has been crashed or made to 
stop serving requests, subsequent updates using the Foresight System Manager 
(rAA) will not occur.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ