CVE-2014-2323

Upstream information

CVE-2014-2323 at MITRE

Description

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.

---

SUSE information

CVSS v2 Scores

	National Vulnerability Database
Base Score	7.48
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

SUSE Bugzilla entry: 867350 [CLOSED / FIXED]

SUSE Security Advisories:

• SUSE-SU-2014:0474-1, published Thu, 3 Apr 2014 19:04:18 +0200 (CEST)
• openSUSE-SU-2014:0449-1, published Wed, 26 Mar 2014 17:04:44 +0100 (CET)
• openSUSE-SU-2014:0496-1, published Tue, 8 Apr 2014 21:06:06 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise High Availability Extension 11 SP3	lighttpd >= 1.4.20-2.54.1	Patchnames: slehasp3-lighttpd
SUSE Linux Enterprise Software Development Kit 11 SP3	lighttpd >= 1.4.20-2.54.1 lighttpd-mod_cml >= 1.4.20-2.54.1 lighttpd-mod_magnet >= 1.4.20-2.54.1 lighttpd-mod_mysql_vhost >= 1.4.20-2.54.1 lighttpd-mod_rrdtool >= 1.4.20-2.54.1 lighttpd-mod_trigger_b4_dl >= 1.4.20-2.54.1 lighttpd-mod_webdav >= 1.4.20-2.54.1	Patchnames: sdksp3-lighttpd
SUSE Linux Enterprise High Availability Extension 11 SP3	lighttpd >= 1.4.20-2.54.1	Builds SAT Patch Nr: 9031
SUSE Linux Enterprise Software Development Kit 11 SP3	lighttpd >= 1.4.20-2.54.1 lighttpd-mod_cml >= 1.4.20-2.54.1 lighttpd-mod_magnet >= 1.4.20-2.54.1 lighttpd-mod_mysql_vhost >= 1.4.20-2.54.1 lighttpd-mod_rrdtool >= 1.4.20-2.54.1 lighttpd-mod_trigger_b4_dl >= 1.4.20-2.54.1 lighttpd-mod_webdav >= 1.4.20-2.54.1	Builds SAT Patch Nr: 9031
openSUSE 12.3	lighttpd >= 1.4.35-6.9.1 lighttpd-debuginfo >= 1.4.35-6.9.1 lighttpd-debugsource >= 1.4.35-6.9.1 lighttpd-mod_cml >= 1.4.35-6.9.1 lighttpd-mod_cml-debuginfo >= 1.4.35-6.9.1 lighttpd-mod_geoip >= 1.4.35-6.9.1 lighttpd-mod_geoip-debuginfo >= 1.4.35-6.9.1 lighttpd-mod_magnet >= 1.4.35-6.9.1 lighttpd-mod_magnet-debuginfo >= 1.4.35-6.9.1 lighttpd-mod_mysql_vhost >= 1.4.35-6.9.1 lighttpd-mod_mysql_vhost-debuginfo >= 1.4.35-6.9.1 lighttpd-mod_rrdtool >= 1.4.35-6.9.1 lighttpd-mod_rrdtool-debuginfo >= 1.4.35-6.9.1 lighttpd-mod_trigger_b4_dl >= 1.4.35-6.9.1 lighttpd-mod_trigger_b4_dl-debuginfo >= 1.4.35-6.9.1 lighttpd-mod_webdav >= 1.4.35-6.9.1 lighttpd-mod_webdav-debuginfo >= 1.4.35-6.9.1	Patchnames: openSUSE-2014-257
openSUSE 13.1	lighttpd >= 1.4.35-2.9.1 lighttpd-debuginfo >= 1.4.35-2.9.1 lighttpd-debugsource >= 1.4.35-2.9.1 lighttpd-mod_cml >= 1.4.35-2.9.1 lighttpd-mod_cml-debuginfo >= 1.4.35-2.9.1 lighttpd-mod_geoip >= 1.4.35-2.9.1 lighttpd-mod_geoip-debuginfo >= 1.4.35-2.9.1 lighttpd-mod_magnet >= 1.4.35-2.9.1 lighttpd-mod_magnet-debuginfo >= 1.4.35-2.9.1 lighttpd-mod_mysql_vhost >= 1.4.35-2.9.1 lighttpd-mod_mysql_vhost-debuginfo >= 1.4.35-2.9.1 lighttpd-mod_rrdtool >= 1.4.35-2.9.1 lighttpd-mod_rrdtool-debuginfo >= 1.4.35-2.9.1 lighttpd-mod_trigger_b4_dl >= 1.4.35-2.9.1 lighttpd-mod_trigger_b4_dl-debuginfo >= 1.4.35-2.9.1 lighttpd-mod_webdav >= 1.4.35-2.9.1 lighttpd-mod_webdav-debuginfo >= 1.4.35-2.9.1	Patchnames: openSUSE-2014-257
openSUSE Evergreen 11.4	lighttpd >= 1.4.35-41.1 lighttpd-debuginfo >= 1.4.35-41.1 lighttpd-debugsource >= 1.4.35-41.1 lighttpd-mod_cml >= 1.4.35-41.1 lighttpd-mod_cml-debuginfo >= 1.4.35-41.1 lighttpd-mod_geoip >= 1.4.35-41.1 lighttpd-mod_geoip-debuginfo >= 1.4.35-41.1 lighttpd-mod_magnet >= 1.4.35-41.1 lighttpd-mod_magnet-debuginfo >= 1.4.35-41.1 lighttpd-mod_mysql_vhost >= 1.4.35-41.1 lighttpd-mod_mysql_vhost-debuginfo >= 1.4.35-41.1 lighttpd-mod_rrdtool >= 1.4.35-41.1 lighttpd-mod_rrdtool-debuginfo >= 1.4.35-41.1 lighttpd-mod_trigger_b4_dl >= 1.4.35-41.1 lighttpd-mod_trigger_b4_dl-debuginfo >= 1.4.35-41.1 lighttpd-mod_webdav >= 1.4.35-41.1 lighttpd-mod_webdav-debuginfo >= 1.4.35-41.1	Patchnames: 2014-44