This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
[SECURITY] Lighttpd: Buffer overflow
- From: "Yaakov (Cygwin Ports)" <yselkowitz at users dot sourceforge dot net>
- To: cygwin-apps at cygwin dot com
- Date: Sat, 29 Sep 2007 21:08:45 -0500
- Subject: [SECURITY] Lighttpd: Buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lapo,
Here's another buffer overflow, this time affecting lighttpd's mod_fastcgi.
Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG/wUspiWmPGlmQSMRCAToAJ9rSJvRmjMQY6Qe2CGETyhU2/JsCACfa1Gq
eD5QXRKCkA3RG9e0RIy6aRk=
=Kpet
-----END PGP SIGNATURE-----
--- Begin Message ---
- From: Pierre-Yves Rofes <py at gentoo dot org>
- To: gentoo-announce at lists dot gentoo dot org
- Cc: full-disclosure at lists dot grok dot org dot uk, bugtraq at securityfocus dot com, security-alerts at linuxsecurity dot com
- Date: Thu, 27 Sep 2007 23:01:46 +0200
- Subject: [ GLSA 200709-16 ] Lighttpd: Buffer overflow
- Approved: news@gmane.org
- Archived-at: <http://permalink.gmane.org/gmane.linux.gentoo.announce/1346>
- Envelope-to: lnx-gentoo-announce@m.gmane.org
- Newsgroups: gmane.linux.gentoo.announce, gmane.comp.security.full-disclosure, gmane.comp.security.bugtraq
- Original-received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)by lo.gmane.org with esmtp (Exim 4.50)id 1Ib0Yv-0004FK-UPfor lnx-gentoo-announce@m.gmane.org; Thu, 27 Sep 2007 23:06:22 +0200
- Original-received: from robin.gentoo.org (localhost [127.0.0.1])by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l8RL4fuX028820;Thu, 27 Sep 2007 21:04:41 GMT
- Original-received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l8RKxNV0022129for <gentoo-announce@lists.gentoo.org>; Thu, 27 Sep 2007 20:59:23 GMT
- Original-received: from localhost (localhost [127.0.0.1])by smtp.gentoo.org (Postfix) with ESMTP id C42E26558Ffor <gentoo-announce@lists.gentoo.org>; Thu, 27 Sep 2007 20:59:22 +0000 (UTC)
- Original-received: from smtp.gentoo.org ([127.0.0.1])by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)with ESMTP id vgckuWNDgbv6 for <gentoo-announce@lists.gentoo.org>;Thu, 27 Sep 2007 20:59:16 +0000 (UTC)
- Original-received: from smtp7-g19.free.fr (smtp7-g19.free.fr [212.27.42.64])by smtp.gentoo.org (Postfix) with ESMTP id CE6ED65576for <gentoo-announce@gentoo.org>; Thu, 27 Sep 2007 20:59:15 +0000 (UTC)
- Original-received: from smtp7-g19.free.fr (localhost [127.0.0.1])by smtp7-g19.free.fr (Postfix) with ESMTP id 648D732283A;Thu, 27 Sep 2007 22:59:14 +0200 (CEST)
- Original-received: from [88.163.239.36] (mas91-3-88-163-239-36.fbx.proxad.net [88.163.239.36])by smtp7-g19.free.fr (Postfix) with ESMTP id 7769832281D;Thu, 27 Sep 2007 22:59:11 +0200 (CEST)
- Original-x-from: gentoo-announce+bounces-694-lnx-gentoo-announce=m.gmane.org@gentoo.org Thu Sep 27 23:06:46 2007
- Xref: news.gmane.org gmane.linux.gentoo.announce:1346 gmane.comp.security.full-disclosure:55835 gmane.comp.security.bugtraq:33063
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200709-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Lighttpd: Buffer overflow
Date: September 27, 2007
Bugs: #191912
ID: 200709-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Lighttpd is vulnerable to the remote execution of arbitrary code.
Background
==========
Lighttpd is a lightweight HTTP web server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/lighttpd < 1.4.18 >= 1.4.18
Description
===========
Mattias Bengtsson and Philip Olausson have discovered a buffer overflow
vulnerability in the function fcgi_env_add() in the file mod_fastcgi.c
when processing overly long HTTP headers.
Impact
======
A remote attacker could send a specially crafted request to the
vulnerable Lighttpd server, resulting in the remote execution of
arbitrary code with privileges of the user running the web server. Note
that mod_fastcgi is disabled in Gentoo's default configuration.
Workaround
==========
Edit the file /etc/lighttpd/lighttpd.conf and comment the following
line: "include mod_fastcgi.conf"
Resolution
==========
All Lighttpd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.18"
References
==========
[ 1 ] CVE-2007-4727
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4727
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200709-16.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG/Bo6uhJ+ozIKI5gRAjNlAJ93Hk2nbz+y+RuANQyU/fEblnLTTwCfZmqb
E1Pc2dPmHp57HSTmvrfF7MY=
=KK5K
-----END PGP SIGNATURE-----
--
gentoo-announce@gentoo.org mailing list
--- End Message ---