Advisories ยป MGASA-2013-0334

Updated lighttpd packages fix multiple security vulnerbilities

Publication date: 20 Nov 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-4508 , CVE-2013-4559 , CVE-2013-4560


Updated lighttpd packages fix security vulnerabilities:

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which
makes it easier for remote attackers to hijack sessions by inserting packets
into the client-server data stream or obtain sensitive information by sniffing
the network (CVE-2013-4508).

In lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an
environment limits the number of processes a user can have and the target uid
already is at the limit, lighttpd will run as root. A user who can run CGI
scripts could clone() often; in this case a lighttpd restart would end up with
lighttpd running as root, and the CGI scripts would run as root too

In lighttpd before 1.4.34, if "fam" is enabled and there are directories
reachable from configured doc roots and aliases on which FAMMonitorDirectory
fails, a remote client could trigger a DoS (CVE-2013-4560).