[Frugalware-security] [ FSA-278 ] lighttpd
vmiklos
noreply at frugalware.org
Sun Sep 23 13:57:18 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frugalware Security Advisory FSA-278
Date: 2007-09-23
Package: lighttpd
Vulnerable versions: <= 1.4.16-1terminus1
Unaffected versions: >= 1.4.16-1terminus2
Related bugreport: http://bugs.frugalware.org/task/2410
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4727
Description
===========
Mattias Bengtsson and Philip Olausson have reported a vulnerability in lighttpd, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the mod_fastcgi extension when handling headers in a HTTP request. This can be exploited to e.g. add or replace PHP headers (e.g. SCRIPT_FILENAME) via a HTTP request containing an overly long header.
Updated Packages
================
Check if you have lighttpd installed:
# pacman-g2 -Q lighttpd
If found, then you should upgrade to the latest version:
# pacman-g2 -Sy lighttpd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info
iD8DBQFG9lSeZ7NElSD1VhkRAsoaAJ9yoNzEuiDpqcCteKsL0H9Qk1xvZgCfT4cb
6zKEwUvm1Y/W2g0MnNJtOEs=
=CBGg
-----END PGP SIGNATURE-----
More information about the Frugalware-security
mailing list