From bfa90ecc91fd0a80d6a4e65e4e67606d973b3bab Mon Sep 17 00:00:00 2001 From: Aldas Nabazas Date: Fri, 14 Mar 2008 10:59:15 +0100 Subject: [PATCH] [lighttpd] Updated (1.4.18 -> 1.4.19) : SECURITY - MEDIUM CVE-2008-0983 (Medium) : lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. CVE-2008-1111 (Medium) : mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. CVE-2008-1270 (Medium) : mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. --- network/lighttpd/lighttpd.desc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/network/lighttpd/lighttpd.desc b/network/lighttpd/lighttpd.desc index 1aa127aab..ce42df2f4 100644 --- a/network/lighttpd/lighttpd.desc +++ b/network/lighttpd/lighttpd.desc @@ -2,7 +2,7 @@ [COPY] This copyright note is auto-generated by ./scripts/Create-CopyPatch. [COPY] [COPY] Filename: package/.../lighttpd/lighttpd.desc -[COPY] Copyright (C) 2006 - 2007 The OpenSDE Project +[COPY] Copyright (C) 2006 - 2008 The OpenSDE Project [COPY] Copyright (C) 2004 - 2006 The T2 SDE Project [COPY] [COPY] More information can be found in the files COPYING and README. @@ -32,8 +32,8 @@ [L] OpenSource [S] Stable -[V] 1.4.18 +[V] 1.4.19 [P] X -?---5---9 150.000 -[D] 2794091929 lighttpd-1.4.18.tar.gz http://lighttpd.net/download/ +[D] 2568131231 lighttpd-1.4.19.tar.gz http://lighttpd.net/download/