Debian DSA-1645-1 : lighttpd - various

high Nessus Plugin ID 34353

Synopsis

The remote Debian host is missing a security-related update.

Description

Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2008-4298 A memory leak in the http_request_parse function could be used by remote attackers to cause lighttpd to consume memory, and cause a denial of service attack.

- CVE-2008-4359 Inconsistant handling of URL patterns could lead to the disclosure of resources a server administrator did not anticipate when using rewritten URLs.

- CVE-2008-4360 Upon filesystems which don't handle case-insensitive paths differently it might be possible that unanticipated resources could be made available by mod_userdir.

Solution

Upgrade the lighttpd package.

For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch11.

See Also

https://security-tracker.debian.org/tracker/CVE-2008-4298

https://security-tracker.debian.org/tracker/CVE-2008-4359

https://security-tracker.debian.org/tracker/CVE-2008-4360

https://www.debian.org/security/2008/dsa-1645

Plugin Details

Severity: High

ID: 34353

File Name: debian_DSA-1645.nasl

Version: 1.17

Type: local

Agent: unix

Published: 10/7/2008

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:lighttpd, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 10/6/2008

Reference Information

CVE: CVE-2008-4298, CVE-2008-4359, CVE-2008-4360

CWE: 200, 399

DSA: 1645