openSUSE Security Update: lighttpd to 1.4.35
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0496-1
Rating: important
References: #867350
Cross-References: CVE-2014-2323 CVE-2014-2324
Affected Products:
openSUSE 11.4
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

lighttpd was updated to version 1.4.35, fixing bugs and
security issues:

CVE-2014-2323: SQL injection vulnerability in
mod_mysql_vhost.c in lighttpd allowed remote attackers to
execute arbitrary SQL commands via the host name, related
to request_check_hostname.

CVE-2014-2323: Multiple directory traversal vulnerabilities
in (1) mod_evhost and (2) mod_simple_vhost in lighttpd
allowed remote attackers to read arbitrary files via a ..
(dot dot) in the host name, related to
request_check_hostname.

More information can be found on the lighttpd advisory
page:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2
014_01.txt

Other changes:
* [network/ssl] fix build error if TLSEXT is disabled
* [mod_fastcgi] fix use after free (only triggered if
fastcgi debug is active)
* [mod_rrdtool] fix invalid read (string not null
terminated)
* [mod_dirlisting] fix memory leak if pcre fails
* [mod_fastcgi,mod_scgi] fix resource leaks on spawning
backends
* [mod_magnet] fix memory leak
* add comments for switch fall throughs
* remove logical dead code
* [buffer] fix length check in buffer_is_equal_right_len
* fix resource leaks in error cases on config parsing and
other initializations
* add force_assert() to enforce assertions as simple
assert()s are disabled by -DNDEBUG (fixes #2546)
* [mod_cml_lua] fix null pointer dereference
* force assertion: setting FD_CLOEXEC must work (if
available)
* [network] check return value of lseek()
* fix unchecked return values from
stream_open/stat_cache_get_entry
* [mod_webdav] fix logic error in handling file creation
error
* check length of unix domain socket filenames
* fix SQL injection / host name validation (thx Jann
Horn)for all the changes see
/usr/share/doc/packages/lighttpd/NEWS

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 11.4:

zypper in -t patch 2014-44

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 11.4 (i586 x86_64):

lighttpd-1.4.35-41.1
lighttpd-debuginfo-1.4.35-41.1
lighttpd-debugsource-1.4.35-41.1
lighttpd-mod_cml-1.4.35-41.1
lighttpd-mod_cml-debuginfo-1.4.35-41.1
lighttpd-mod_geoip-1.4.35-41.1
lighttpd-mod_geoip-debuginfo-1.4.35-41.1
lighttpd-mod_magnet-1.4.35-41.1
lighttpd-mod_magnet-debuginfo-1.4.35-41.1
lighttpd-mod_mysql_vhost-1.4.35-41.1
lighttpd-mod_mysql_vhost-debuginfo-1.4.35-41.1
lighttpd-mod_rrdtool-1.4.35-41.1
lighttpd-mod_rrdtool-debuginfo-1.4.35-41.1
lighttpd-mod_trigger_b4_dl-1.4.35-41.1
lighttpd-mod_trigger_b4_dl-debuginfo-1.4.35-41.1
lighttpd-mod_webdav-1.4.35-41.1
lighttpd-mod_webdav-debuginfo-1.4.35-41.1

References:

http://support.novell.com/security/cve/CVE-2014-2323.html
http://support.novell.com/security/cve/CVE-2014-2324.html
https://bugzilla.novell.com/867350

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org