Updated lighttpd packages fix CVE-2015-3200 & other bugs
Publication date: 08 Sep 2015Modification date: 08 Sep 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-3200
Description
Updated lighttpd packages fix security vulnerability:
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary
log entries via a basic HTTP authentication string without a colon character,
as demonstrated by a string containing a NULL and new line character
(CVE-2015-3200).
The lighttpd package has been updated to version 1.4.37, fixing this issue and
several other bugs.
In the Mageia 4 package, improvements have been made to the logrotate
configuration and systemd service, allowing graceful reloading of
configuration files and proper re-opening of log files (mga#15948, mga#15980).
References
- https://bugs.mageia.org/show_bug.cgi?id=16555
- http://www.lighttpd.net/2015/7/26/1.4.36/
- http://www.lighttpd.net/2015/8/30/1.4.37/
- https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html
- https://bugs.mageia.org/show_bug.cgi?id=15948
- https://bugs.mageia.org/show_bug.cgi?id=15980
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200
SRPMS
4/core
- lighttpd-1.4.37-1.mga4
5/core
- lighttpd-1.4.37-1.mga5