Bug#913528: lighttpd: CVE-2018-19052

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#913528: lighttpd: CVE-2018-19052
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 11 Nov 2018 22:17:26 +0100
Message-id: <[🔎] 154197104695.25391.10531806008799440446.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 913528@bugs.debian.org

Source: lighttpd
Version: 1.4.49-1.1
Severity: important
Tags: security upstream
Control: found -1 1.4.45-1

Hi,

The following vulnerability was published for lighttpd.

CVE-2018-19052[0]:
| An issue was discovered in mod_alias_physical_handler in mod_alias.c in
| lighttpd before 1.4.50. There is potential ../ path traversal of a
| single directory above an alias target, with a specific mod_alias
| configuration where the matched alias lacks a trailing '/' character,
| but the alias target filesystem path does have a trailing '/'
| character.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19052
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19052
[1] https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: lighttpd: CVE-2018-19052
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: lighttpd: CVE-2018-19052
Next by Date: Processed: Re: Bug#666390: anacron: change default ANACRON_RUN_ON_BATTERY_POWER to yes
Previous by thread: Bug#912563: meson FTBFS with llvm/clang 7
Next by thread: Processed: lighttpd: CVE-2018-19052
Index(es):
- Date
- Thread