SUSE-SU-2014:0050-1: moderate: Security update for lighttpd
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Jan 13 12:04:11 MST 2014
SUSE Security Update: Security update for lighttpd
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:0050-1
Rating: moderate
References: #801071 #850468 #850469
Cross-References: CVE-2013-4560
Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Software Development Kit 11 SP2
SUSE Linux Enterprise High Availability Extension 11 SP3
SUSE Linux Enterprise High Availability Extension 11 SP2
______________________________________________________________________________
An update that solves one vulnerability and has two fixes
is now available.
Description:
lighthttpd received fixes for the following security issues:
*
CVE-2013-4559: lighttpd did not check the return
value of the (1) setuid, (2) setgid, or (3) setgroups
functions, which might have caused lighttpd to run as root
if it is restarted and allowed remote attackers to gain
privileges, as demonstrated by multiple calls to the clone
function that cause setuid to fail when the user process
limit is reached.
*
CVE-2013-4560: Use-after-free vulnerability in
lighttpd allowed remote attackers to cause a denial of
service (segmentation fault and crash) via unspecified
vectors that trigger FAMMonitorDirectory failures.
*
CVE-2011-1473: Added support for disabling client
side initiated renegotation to avoid potential
computational denial of service (unbalanced computation
efforts server vs client).
Security Issue reference:
* CVE-2013-4559
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559
>
* CVE-2013-4560
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560
>
* CVE-2011-1473
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-lighttpd-8645
- SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-lighttpd-8644
- SUSE Linux Enterprise High Availability Extension 11 SP3:
zypper in -t patch slehasp3-lighttpd-8645
- SUSE Linux Enterprise High Availability Extension 11 SP2:
zypper in -t patch sleshasp2-lighttpd-8644
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
lighttpd-1.4.20-2.52.1
lighttpd-mod_cml-1.4.20-2.52.1
lighttpd-mod_magnet-1.4.20-2.52.1
lighttpd-mod_mysql_vhost-1.4.20-2.52.1
lighttpd-mod_rrdtool-1.4.20-2.52.1
lighttpd-mod_trigger_b4_dl-1.4.20-2.52.1
lighttpd-mod_webdav-1.4.20-2.52.1
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):
lighttpd-1.4.20-2.52.1
lighttpd-mod_cml-1.4.20-2.52.1
lighttpd-mod_magnet-1.4.20-2.52.1
lighttpd-mod_mysql_vhost-1.4.20-2.52.1
lighttpd-mod_rrdtool-1.4.20-2.52.1
lighttpd-mod_trigger_b4_dl-1.4.20-2.52.1
lighttpd-mod_webdav-1.4.20-2.52.1
- SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64):
lighttpd-1.4.20-2.52.1
- SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 ia64 ppc64 s390x x86_64):
lighttpd-1.4.20-2.52.1
References:
http://support.novell.com/security/cve/CVE-2013-4560.html
https://bugzilla.novell.com/801071
https://bugzilla.novell.com/850468
https://bugzilla.novell.com/850469
http://download.novell.com/patch/finder/?keywords=bfe99f3db932bd71cf3b8413b2374ba5
http://download.novell.com/patch/finder/?keywords=def7a5cbed6ad6036f50fdb5d6eb8ffd
More information about the sle-security-updates
mailing list