Re: [SECURITY] [DSA-1645-1] New lighttpd packages fix various problems

To: debian-security@lists.debian.org
Cc: Steve Kemp <skx@debian.org>
Subject: Re: [SECURITY] [DSA-1645-1] New lighttpd packages fix various problems
From: Gerfried Fuchs <rhonda@deb.at>
Date: Mon, 6 Oct 2008 20:40:36 +0200
Message-id: <[🔎] 20081006184036.GA8978@anguilla.debian.or.at>
In-reply-to: <20081006172951.GA1507@steve.org.uk>
References: <20081006172951.GA1507@steve.org.uk>

* Steve Kemp <skx@debian.org> [2008-10-06 19:29:51 CEST]:
> CVE-2008-4298
>     A memory leak in the http_request_parse function could be used by
>     remote attackers to cause lighttpd to consume memory, and cause a
>     denial of service attack.
> 
> CVE-2008-4359
>     Inconsistent handling of URL patterns could lead to the disclosure
>     of resources a server administrator did not anticipate when using
>     rewritten URLs.
>     
> CVE-2008-4360
>     Upon file systems which don't handle case-insensitive paths differently
>     it might be possible that unanticipated resources could be made available
>     by mod_userdir.
> 
> For the stable distribution (etch), these problems have been fixed in version
> 1.4.13-4etch11.
> 
> For the unstable distribution (sid), these problems will be fixed shortly.

 From reading the changelog these issues have all three been addressed
in the 1.4.19-5 upload which was done a week ago already. Was this
missed, or are the patches therein considered incomplete?

 Thanks,
Rhonda

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA-1645-1] New lighttpd packages fix various problems
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: Keeping the webserver safe
Next by Date: Re: antivirus for webserver
Previous by thread: Re: antivirus for webserver
Next by thread: Re: [SECURITY] [DSA-1645-1] New lighttpd packages fix various problems
Index(es):
- Date
- Thread