lighttpd-1.4.59-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10585-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z lighttpd-1.4.59-2.1 on GA media These are all security issues fixed in the lighttpd-1.4.59-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10585 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-1869/ SUSE CVE CVE-2007-1869 page https://www.suse.com/security/cve/CVE-2007-1870/ SUSE CVE CVE-2007-1870 page https://www.suse.com/security/cve/CVE-2008-0983/ SUSE CVE CVE-2008-0983 page https://www.suse.com/security/cve/CVE-2008-1111/ SUSE CVE CVE-2008-1111 page https://www.suse.com/security/cve/CVE-2008-1270/ SUSE CVE CVE-2008-1270 page https://www.suse.com/security/cve/CVE-2008-1531/ SUSE CVE CVE-2008-1531 page https://www.suse.com/security/cve/CVE-2008-4359/ SUSE CVE CVE-2008-4359 page https://www.suse.com/security/cve/CVE-2018-19052/ SUSE CVE CVE-2018-19052 page openSUSE Tumbleweed lighttpd-1.4.59-2.1 lighttpd-mod_authn_gssapi-1.4.59-2.1 lighttpd-mod_authn_ldap-1.4.59-2.1 lighttpd-mod_authn_mysql-1.4.59-2.1 lighttpd-mod_authn_pam-1.4.59-2.1 lighttpd-mod_authn_sasl-1.4.59-2.1 lighttpd-mod_cml-1.4.59-2.1 lighttpd-mod_magnet-1.4.59-2.1 lighttpd-mod_maxminddb-1.4.59-2.1 lighttpd-mod_mysql_vhost-1.4.59-2.1 lighttpd-mod_rrdtool-1.4.59-2.1 lighttpd-mod_trigger_b4_dl-1.4.59-2.1 lighttpd-mod_vhostdb_dbi-1.4.59-2.1 lighttpd-mod_vhostdb_ldap-1.4.59-2.1 lighttpd-mod_vhostdb_mysql-1.4.59-2.1 lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 lighttpd-mod_webdav-1.4.59-2.1 lighttpd-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_authn_gssapi-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_authn_ldap-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_authn_mysql-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_authn_pam-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_authn_sasl-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_cml-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_magnet-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_maxminddb-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_mysql_vhost-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_rrdtool-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_trigger_b4_dl-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_vhostdb_dbi-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_vhostdb_ldap-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_vhostdb_mysql-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd-mod_webdav-1.4.59-2.1 as a component of openSUSE Tumbleweed lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption. CVE-2007-1869 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1869.html CVE-2007-1869 https://bugzilla.suse.com/246945 SUSE Bug 246945 https://bugzilla.suse.com/284831 SUSE Bug 284831 lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference. CVE-2007-1870 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1870.html CVE-2007-1870 https://bugzilla.suse.com/246945 SUSE Bug 246945 https://bugzilla.suse.com/284831 SUSE Bug 284831 lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. CVE-2008-0983 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-0983.html CVE-2008-0983 https://bugzilla.suse.com/364517 SUSE Bug 364517 mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. CVE-2008-1111 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1111.html CVE-2008-1111 https://bugzilla.suse.com/366526 SUSE Bug 366526 mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. CVE-2008-1270 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1270.html CVE-2008-1270 https://bugzilla.suse.com/368962 SUSE Bug 368962 The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. CVE-2008-1531 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1531.html CVE-2008-1531 https://bugzilla.suse.com/374761 SUSE Bug 374761 lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. CVE-2008-4359 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4359.html CVE-2008-4359 https://bugzilla.suse.com/429764 SUSE Bug 429764 An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. CVE-2018-19052 openSUSE Tumbleweed:lighttpd-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_gssapi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_pam-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_authn_sasl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_cml-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_magnet-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_maxminddb-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_mysql_vhost-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_rrdtool-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_trigger_b4_dl-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_dbi-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_ldap-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_mysql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_vhostdb_pgsql-1.4.59-2.1 openSUSE Tumbleweed:lighttpd-mod_webdav-1.4.59-2.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19052.html CVE-2018-19052 https://bugzilla.suse.com/1115016 SUSE Bug 1115016