From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1645-1 [email protected] http://www.debian.org/security/ Steve Kemp October 06, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : lighttpd
Vulnerability : various
Problem type : remote
Debian-specific: No
CVE Id(s) : CVE-2008-4298 CVE-2008-4359 CVE-2008-4360

Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-4298
A memory leak in the http_request_parse function could be used by
remote attackers to cause lighttpd to consume memory, and cause a
denial of service attack.

CVE-2008-4359
Inconsistent handling of URL patterns could lead to the disclosure
of resources a server administrator did not anticipate when using
rewritten URLs.

CVE-2008-4360
Upon file systems which don't handle case-insensitive paths differently
it might be possible that unanticipated resources could be made available
by mod_userdir.

For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch11.

For the unstable distribution (sid), these problems will be fixed shortly.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.dsc
Size/MD5 checksum: 1108 d747ed7b2063ad6696064bf821c50a00
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11.diff.gz
Size/MD5 checksum: 38244 c6de19903fcf9972a3db86af50c3dfb6

Architecture independent packages:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch11_all.deb
Size/MD5 checksum: 100436 4b00f0a8ec894c84f01e0924121ddc16

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 298530 b1ebecc6e7bf459f367d7cd697cfc826
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 70718 17ccecf27a1fd3889cafbcf99b438959
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 64420 7eeeab5dac95d1318f7c0ccafdc88db3
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 59536 8c6c8f79f475e1168e7c6034fab19e7e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 61266 51b5201427b3ef3b14f1fd8346a2be69
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_amd64.deb
Size/MD5 checksum: 64070 d2558ad437f37b51370649f61bd594fa

arm architecture (ARM)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 70076 9e71864930a9b029faa7d06cb83ad368
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 61170 bf9adc9694e8079789f74c1ef7f159d7
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 63226 613c8ac801f2897c61e9ff0e2da39e64
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 59046 939e326f979ffd4ec524a37398a9a668
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 287252 373373dbe20c5073e93e8ecb2a7c293e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_arm.deb
Size/MD5 checksum: 63434 b653d9e0dfefb364724ea7495cd98c39

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 324728 73b5dd3a1eeeeffd0f0b0190ff0cdf95
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 65224 046f3680fb5ded22085042cf0643311e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 65712 918e553fb47bc57c8047ec1858399bcc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 60226 8fc494d0eba0ec181acd276967f3bf6a
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 72628 b7b7512883bec97a11b68da12f0b0447
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_hppa.deb
Size/MD5 checksum: 62188 bcab41cca185b771d91bac5b2b9d0d47

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 61070 f6ea45c9b9ed3bd7f0d981e19d71fdf1
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 63808 3bb9c5035f9a1e06ba9cb7af51e99a65
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch11_i386.deb
Size/MD5 checksum: 71108 6ae8d10751c07ae66bff8bed2e17f715
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch11_i386.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)