[pkg-lighttpd] Bug#469307: lighttpd: CVE-2008-1111 reveals cgi source if the cgi handler fork fails
Nico Golde
nion at debian.org
Tue Mar 4 15:25:34 UTC 2008
Package: lighttpd
Version: 1.4.13-4etch4
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lighttpd.
CVE-2008-1111[0]:
mod_cgi in lighttpd is going to send the source of a cgi
script if forking the cgi handler fails for some reason. it
should result in a 500 instead.
The default installation of Debian is not affected as it
does not include the mod_cgi configuration but this should
be fixed anyway.
You can find a patch for this on:
http://trac.lighttpd.net/trac/changeset/2107
Note the CVE id is not yet available on the mitre site but
it will be soon hopefully.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20080304/11583bb1/attachment.pgp
More information about the pkg-lighttpd-maintainers
mailing list