[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-2368-1 lighttpd -- multiple

ID: oval:org.secpod.oval:def:600694Date: (C)2012-01-30   (M)2022-12-07
Class: PATCHFamily: unix




Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint. CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions. CVE-2011-3389 When using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called "BEAST" attack allows man-in-the-middle attackers to obtain plaintext HTTP traffic via a blockwise chosen-boundary attack on an HTTPS session. Technically this is no lighttpd vulnerability. However, lighttpd offers a workaround to mitigate this problem by providing a possibility to disable CBC ciphers. This updates includes this option by default. System administrators are advised to read the NEWS file of this update .

Platform:
Debian 5.0
Debian 6.0
Product:
lighttpd
Reference:
DSA-2368-1
CVE-2011-4362
CVE-2011-3389
CVE    2
CVE-2011-4362
CVE-2011-3389
CPE    28
cpe:/o:debian:debian_linux:6.x
cpe:/a:lighttpd:lighttpd:1.3.16
cpe:/a:lighttpd:lighttpd
cpe:/a:lighttpd:lighttpd:1.4.25
...

© SecPod Technologies