Security update for lighttpd
SUSE Security Update: Security update for lighttpd
lighthttpd received fixes for the following security issues:
*
CVE-2013-4559: lighttpd did not check the return
value of the (1) setuid, (2) setgid, or (3) setgroups
functions, which might have caused lighttpd to run as root
if it is restarted and allowed remote attackers to gain
privileges, as demonstrated by multiple calls to the clone
function that cause setuid to fail when the user process
limit is reached.
*
CVE-2013-4560: Use-after-free vulnerability in
lighttpd allowed remote attackers to cause a denial of
service (segmentation fault and crash) via unspecified
vectors that trigger FAMMonitorDirectory failures.
*
CVE-2011-1473: Added support for disabling client
side initiated renegotation to avoid potential
computational denial of service (unbalanced computation
efforts server vs client).
Security Issue reference:
* CVE-2013-4559
>
* CVE-2013-4560
>
* CVE-2011-1473
>
| Announcement ID: | SUSE-SU-2014:0050-1 |
| Rating: | moderate |
| References: | #801071 #850468 #850469 |
| Affected Products: |
An update that solves one vulnerability and has two fixes is now available.
Description:
lighthttpd received fixes for the following security issues:
*
CVE-2013-4559: lighttpd did not check the return
value of the (1) setuid, (2) setgid, or (3) setgroups
functions, which might have caused lighttpd to run as root
if it is restarted and allowed remote attackers to gain
privileges, as demonstrated by multiple calls to the clone
function that cause setuid to fail when the user process
limit is reached.
*
CVE-2013-4560: Use-after-free vulnerability in
lighttpd allowed remote attackers to cause a denial of
service (segmentation fault and crash) via unspecified
vectors that trigger FAMMonitorDirectory failures.
*
CVE-2011-1473: Added support for disabling client
side initiated renegotation to avoid potential
computational denial of service (unbalanced computation
efforts server vs client).
Security Issue reference:
* CVE-2013-4559
* CVE-2013-4560
* CVE-2011-1473
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-lighttpd-8645 - SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-lighttpd-8644 - SUSE Linux Enterprise High Availability Extension 11 SP3:
zypper in -t patch slehasp3-lighttpd-8645 - SUSE Linux Enterprise High Availability Extension 11 SP2:
zypper in -t patch sleshasp2-lighttpd-8644
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
- lighttpd-1.4.20-2.52.1
- lighttpd-mod_cml-1.4.20-2.52.1
- lighttpd-mod_magnet-1.4.20-2.52.1
- lighttpd-mod_mysql_vhost-1.4.20-2.52.1
- lighttpd-mod_rrdtool-1.4.20-2.52.1
- lighttpd-mod_trigger_b4_dl-1.4.20-2.52.1
- lighttpd-mod_webdav-1.4.20-2.52.1
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):
- lighttpd-1.4.20-2.52.1
- lighttpd-mod_cml-1.4.20-2.52.1
- lighttpd-mod_magnet-1.4.20-2.52.1
- lighttpd-mod_mysql_vhost-1.4.20-2.52.1
- lighttpd-mod_rrdtool-1.4.20-2.52.1
- lighttpd-mod_trigger_b4_dl-1.4.20-2.52.1
- lighttpd-mod_webdav-1.4.20-2.52.1
- SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64):
- lighttpd-1.4.20-2.52.1
- SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 ia64 ppc64 s390x x86_64):
- lighttpd-1.4.20-2.52.1
References:
- http://support.novell.com/security/cve/CVE-2013-4560.html
- https://bugzilla.novell.com/801071
- https://bugzilla.novell.com/850468
- https://bugzilla.novell.com/850469
- http://download.suse.com/patch/finder/?keywords=bfe99f3db932bd71cf3b8413b2374ba5
- http://download.suse.com/patch/finder/?keywords=def7a5cbed6ad6036f50fdb5d6eb8ffd