lighttpd-1.4.37-1.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10402 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z lighttpd-1.4.37-1.6 on GA media These are all security issues fixed in the lighttpd-1.4.37-1.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10402 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10402 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-0295/ SUSE CVE CVE-2010-0295 page https://www.suse.com/security/cve/CVE-2011-4362/ SUSE CVE CVE-2011-4362 page https://www.suse.com/security/cve/CVE-2012-5533/ SUSE CVE CVE-2012-5533 page https://www.suse.com/security/cve/CVE-2013-4508/ SUSE CVE CVE-2013-4508 page https://www.suse.com/security/cve/CVE-2013-4559/ SUSE CVE CVE-2013-4559 page https://www.suse.com/security/cve/CVE-2013-4560/ SUSE CVE CVE-2013-4560 page https://www.suse.com/security/cve/CVE-2014-2323/ SUSE CVE CVE-2014-2323 page https://www.suse.com/security/cve/CVE-2014-2324/ SUSE CVE CVE-2014-2324 page openSUSE Tumbleweed lighttpd-1.4.37-1.6 lighttpd-mod_cml-1.4.37-1.6 lighttpd-mod_geoip-1.4.37-1.6 lighttpd-mod_magnet-1.4.37-1.6 lighttpd-mod_mysql_vhost-1.4.37-1.6 lighttpd-mod_rrdtool-1.4.37-1.6 lighttpd-mod_trigger_b4_dl-1.4.37-1.6 lighttpd-mod_webdav-1.4.37-1.6 lighttpd-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_cml-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_geoip-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_magnet-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_mysql_vhost-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_rrdtool-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_trigger_b4_dl-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd-mod_webdav-1.4.37-1.6 as a component of openSUSE Tumbleweed lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. CVE-2010-0295 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0295.html CVE-2010-0295 https://bugzilla.suse.com/573948 SUSE Bug 573948 Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. CVE-2011-4362 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4362.html CVE-2011-4362 https://bugzilla.suse.com/733607 SUSE Bug 733607 https://bugzilla.suse.com/801071 SUSE Bug 801071 The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. CVE-2012-5533 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5533.html CVE-2012-5533 https://bugzilla.suse.com/790258 SUSE Bug 790258 lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. CVE-2013-4508 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4508.html CVE-2013-4508 https://bugzilla.suse.com/849059 SUSE Bug 849059 lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached. CVE-2013-4559 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4559.html CVE-2013-4559 https://bugzilla.suse.com/850468 SUSE Bug 850468 Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures. CVE-2013-4560 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4560.html CVE-2013-4560 https://bugzilla.suse.com/850469 SUSE Bug 850469 SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. CVE-2014-2323 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2323.html CVE-2014-2323 https://bugzilla.suse.com/867350 SUSE Bug 867350 Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. CVE-2014-2324 openSUSE Tumbleweed:lighttpd-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_geoip-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.37-1.6 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.37-1.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2324.html CVE-2014-2324 https://bugzilla.suse.com/867350 SUSE Bug 867350