Date: Sat, 6 Dec 2008 23:41:18 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: ports/129472: [vuxml] www/lighttpd: document CVE-2008-{4298, 4359, 4360}
Message-ID: <20081206204118.3C7B7B8019@phoenix.codelabs.ru>
Resent-Message-ID: <200812062050.mB6Ko5NF085994@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129472
>Category: ports
>Synopsis: [vuxml] www/lighttpd: document CVE-2008-{4298,4359,4360}
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 06 20:50:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
Multiple issues were fixed in lighttpd 1.4.20:
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
Port was updated in October 2008 (ports/127861), but VuXML entry
was not created.
>How-To-Repeat:
Look at the above URLs.
>Fix:
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="594d0c5c-c3d4-11dd-b08d-001fc66e7203">
<topic>lighttpd -- multiple vulnerabilities</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">;
<p>Multiple issues were fixed in lighttpd 1.4.20:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298">;
<p>Memory leak in the http_request_parse function in request.c
in lighttpd before 1.4.20 allows remote attackers to cause a
denial of service (memory consumption) via a large number of
requests with duplicate request headers.</p>
</blockquote>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359">;
<p>lighttpd before 1.4.20 compares URIs to patterns in the (1)
url.redirect and (2) url.rewrite configuration settings before
performing URL decoding, which might allow remote attackers to
bypass intended access restrictions, and obtain sensitive
information or possibly modify data.</p>
</blockquote>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360">;
<p>mod_userdir in lighttpd before 1.4.20, when a
case-insensitive operating system or filesystem is used,
performs case-sensitive comparisons on filename components in
configuration options, which might allow remote attackers to
bypass intended access restrictions, as demonstrated by a
request for a .PHP file when there is a configuration rule for
.php files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4298</cvename>
<cvename>CVE-2008-4359</cvename>
<cvename>CVE-2008-4360</cvename>
<url>http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt</url>;
<url>http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt</url>;
<url>http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt</url>;
</references>
<dates>
<discovery>02-12-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081206204118.3C7B7B8019>