[Frugalware-security] [ FSA-278 ] lighttpd

vmiklos noreply at frugalware.org
Sun Sep 23 13:57:18 CEST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-278

Date: 2007-09-23
Package: lighttpd
Vulnerable versions: <= 1.4.16-1terminus1
Unaffected versions: >= 1.4.16-1terminus2
Related bugreport: http://bugs.frugalware.org/task/2410
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4727

Description
===========

Mattias Bengtsson and Philip Olausson have reported a vulnerability in lighttpd, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the mod_fastcgi extension when handling headers in a HTTP request. This can be exploited to e.g. add or replace PHP headers (e.g. SCRIPT_FILENAME) via a HTTP request containing an overly long header.

Updated Packages
================

Check if you have lighttpd installed:

	# pacman-g2 -Q lighttpd

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy lighttpd

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iD8DBQFG9lSeZ7NElSD1VhkRAsoaAJ9yoNzEuiDpqcCteKsL0H9Qk1xvZgCfT4cb
6zKEwUvm1Y/W2g0MnNJtOEs=
=CBGg
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list