-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1303-1 security@debian.org http://www.debian.org/security/ Steve Kemp June 10, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : lighttpd Vulnerability : denial of service Problem-Type : local & remote Debian-specific: no CVE ID : CVE-2007-1870 CVE-2007-1869 Debian Bug : 422254 Two problems were discovered with lighttpd, a fast webserver with minimal memory footprint, which could allow denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1869 Remote attackers could cause denial of service by disconnecting partway through making a request. CVE-2007-1870 A NULL pointer dereference could cause a crash when serving files with a mtime of 0. For the stable distribution (etch) these problems have been fixed in version 1.4.13-4etch1. For the unstable distribution (sid) these problems have been fixed in version 1.4.14-1. We recommend that you upgrade your lighttpd package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Source archives: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1.dsc Size/MD5 checksum: 1098 ef3730d86ea77e526e66127d934f03c6 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1.diff.gz Size/MD5 checksum: 15173 411d82d078a5303943389fc3521e7fba http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc Architecture independent components: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch1_all.deb Size/MD5 checksum: 99474 8a94fa9556f1429528319f1a1fa568f1 Alpha architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_alpha.deb Size/MD5 checksum: 318162 283fd8d6c7c27f4bd61898247da07db9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_alpha.deb Size/MD5 checksum: 64510 d0944bbc86a22daa45999afd00676920 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_alpha.deb Size/MD5 checksum: 64070 d685ea88c4b629bab5771d08621aa81c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_alpha.deb Size/MD5 checksum: 59074 aad74a6b17e86c8c68b63717b4448e22 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_alpha.deb Size/MD5 checksum: 60828 c136287cae4f4cea113657ea6b01ce41 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_alpha.deb Size/MD5 checksum: 71320 bc0aa14a9955e2f386fbb43c6061ff8b AMD64 architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_amd64.deb Size/MD5 checksum: 296426 7cbf0ee2b5a3c27b3478ae096419beef http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_amd64.deb Size/MD5 checksum: 63922 981c2f63505bd5394c639a1aa93fa25a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_amd64.deb Size/MD5 checksum: 63646 d4ec90dda80422e47115faf57396bb05 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_amd64.deb Size/MD5 checksum: 59132 a6cc6145c017eae377b20887dae4618c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_amd64.deb Size/MD5 checksum: 60724 6a6af3f67680ea042ea5e8a6d2170139 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_amd64.deb Size/MD5 checksum: 69976 739708ec1200c70a6cc4b468080b49ae ARM architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_arm.deb Size/MD5 checksum: 288014 1114e00e94dc60364fa9aaad59183836 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_arm.deb Size/MD5 checksum: 62602 9947d36ac758e7d7cd78064c147ddbe2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_arm.deb Size/MD5 checksum: 62462 220505089fe300fcce338cc730b7cfb2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_arm.deb Size/MD5 checksum: 58360 ca58297fd12f1b62af27a85fddcf47ad http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_arm.deb Size/MD5 checksum: 60284 dce6b3c544c0e3bd2f8c08a88cfcb6f2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_arm.deb Size/MD5 checksum: 69420 a889e304aab96e8be3638ce6a16ca1c3 HP Precision architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_hppa.deb Size/MD5 checksum: 323150 e49e128dcd9d3d38d08aeaa1fae889cd http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_hppa.deb Size/MD5 checksum: 64930 a3a60a655c7f06f38ddd71df3d1c2b48 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_hppa.deb Size/MD5 checksum: 64418 9fad81697a0dac3aa1f64cf2ea4a93b2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_hppa.deb Size/MD5 checksum: 59432 29c07432b0d96cc11d4794a6f618c94e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_hppa.deb Size/MD5 checksum: 61198 70155f2b1dce10205822cf14639eedcf http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_hppa.deb Size/MD5 checksum: 72464 d51a480afe5e07b0335332e7b24085bb Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_i386.deb Size/MD5 checksum: 288108 06270ce40db3249625b3123afe20f545 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_i386.deb Size/MD5 checksum: 63110 a01ca815790e6579c308eb364fbf0b9e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_i386.deb Size/MD5 checksum: 62910 17903e4397ba40d9b1fafaae03aeba67 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_i386.deb Size/MD5 checksum: 58516 ffd4e5175a0771229aa9ec0ee462367c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_i386.deb Size/MD5 checksum: 60178 a6e7d1e4431950bb1cb9c8ed02d8796e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_i386.deb Size/MD5 checksum: 70212 797fbce72817ed3092d0756d4f0b7b16 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_ia64.deb Size/MD5 checksum: 402620 ee76492e203b1c42459a9d35708c15d1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_ia64.deb Size/MD5 checksum: 66974 14dfec6e97a3fffe45c8c8d2b1c263c7 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_ia64.deb Size/MD5 checksum: 66822 c8761bdad0192b709a6650935a73b77e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_ia64.deb Size/MD5 checksum: 60666 a51f5988e23c3cb01ba872556e666c67 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_ia64.deb Size/MD5 checksum: 62532 306c5d1b0744c9a55bdbc5a3e6ab9d43 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_ia64.deb Size/MD5 checksum: 76526 1d46f971460f6bc919cbe4ae68f7049e Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_mips.deb Size/MD5 checksum: 295572 d4eff501f522141341fd0d42a7643e50 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_mips.deb Size/MD5 checksum: 62994 a42afe38e858bdc97e3d1cc2609040cd http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_mips.deb Size/MD5 checksum: 62832 21d9359dee2346189cb50bf6ce743fc5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_mips.deb Size/MD5 checksum: 58804 1f3c6acfdd1500b1a44384cf013368e1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_mips.deb Size/MD5 checksum: 60240 f06fa483be4d888fe6161d4343232879 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_mips.deb Size/MD5 checksum: 69504 53b09dd48fdcb378b8ebfb1ba4d71703 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_mipsel.deb Size/MD5 checksum: 296010 71a9419f817392755394718a35f176c0 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_mipsel.deb Size/MD5 checksum: 63028 d66cf97cf28ee0657b17f5357333b063 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_mipsel.deb Size/MD5 checksum: 62854 7861b0cd64b100a068bfebd841d12488 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_mipsel.deb Size/MD5 checksum: 58776 2af4301d158b3143d3b40e4aab618f74 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_mipsel.deb Size/MD5 checksum: 60248 839ad9fbbc65f5d873033599a5933b8e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_mipsel.deb Size/MD5 checksum: 69494 c76e5480bafdcfcc6ae021aa1000c8b2 PowerPC architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_powerpc.deb Size/MD5 checksum: 322174 74b0047df6db5edb00d9d2691c8f064c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_powerpc.deb Size/MD5 checksum: 64874 17f172304062df3885814aa40abfaf19 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_powerpc.deb Size/MD5 checksum: 64516 542119472a68eae891b70b408425e5c1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_powerpc.deb Size/MD5 checksum: 60134 7404bfe78362b08fa558310c38809521 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_powerpc.deb Size/MD5 checksum: 61946 caed2baa31f06fc1e7d96007c6d33b98 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_powerpc.deb Size/MD5 checksum: 71244 31d0392efa451d605daa53846388a9fb IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_s390.deb Size/MD5 checksum: 306018 a2a8aaf5a00d7ffdc4a90be4c891e68a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_s390.deb Size/MD5 checksum: 64108 b698d116eccc8373cd0d35efd704b8d5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_s390.deb Size/MD5 checksum: 63718 cfa9c3c452641911f3dc47aa014f717d http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_s390.deb Size/MD5 checksum: 59080 d5edfcdfae8a88781869dc800317895b http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_s390.deb Size/MD5 checksum: 60572 66ffe78d259ed3c27ee59e9e62c162d1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_s390.deb Size/MD5 checksum: 70756 bc6cb87a363b8007bee03d1383f4c7af Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_sparc.deb Size/MD5 checksum: 283110 f6e58d1dc5993bad86eeac3d322c4f96 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_sparc.deb Size/MD5 checksum: 62912 61868c7b6990c7c358643edb63bb9d2f http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_sparc.deb Size/MD5 checksum: 62884 983eee1671580a04506e6353a119c1ab http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_sparc.deb Size/MD5 checksum: 58356 f5a3f3eb5caaac0966e64a463eb8635c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_sparc.deb Size/MD5 checksum: 60002 39e417cc65309ed2aeee7f7c91a607cb http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_sparc.deb Size/MD5 checksum: 69364 dc30f534d4bb72a97b62f3c4f59fdaf6 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGa/ptwM/Gs81MDZ0RAkZiAKCSotYpd7DrW+9T48VGXbIEBsUVrwCfbUM4 HJ9ZwpUCxht4CjYJQMfavJU= =b1nu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/