Advisories » MGASA-2014-0133

Updated lighttpd package fixes security vulnerabilities

Publication date: 19 Mar 2014
Modification date: 19 Mar 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-2323 , CVE-2014-2324

Description

SQL injection vulnerability in lighttpd before 1.4.35 when
mod_mysql_vhost is in use, due to insufficient validation of hostnames in
HTTP requests (CVE-2014-2323).

Possible path traversal vulnerabilities in lighttpd before 1.4.35 when
either mod_evhost or mod_simple_vhost are in use, due to insufficient
validation of hostnames in HTTP requests (CVE-2014-2324).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=13003
• http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
• http://openwall.com/lists/oss-security/2014/03/12/12
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324

SRPMS

3/core

• lighttpd-1.4.32-3.7.mga3

4/core

• lighttpd-1.4.33-4.1.mga4