Advisories » MGASA-2016-0398

Updated lighttpd packages fix security vulnerability

Publication date: 25 Nov 2016
Modification date: 25 Nov 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1000212

Description

Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour
in the lighttpd web server. Lighttpd assigned Proxy header values from
client requests to internal HTTP_PROXY environment variables. This could
be used to carry out Man in the Middle Attacks (MIDM) or create
connections to arbitrary hosts (CVE-2016-1000212).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19111
• https://www.debian.org/security/2016/dsa-3642
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000212

SRPMS

5/core

• lighttpd-1.4.37-1.1.mga5