Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0395
lighttpd security update
18 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: lighttpd
Publisher: Debian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Debian GNU/Linux 6
Impact/Access: Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1427
Original Bulletin:
http://www.debian.org/security/2013/dsa-2649
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running lighttpd check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2649-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
March 15, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : lighttpd
Vulnerability : fixed socket name in world-writable directory
Problem type : local
Debian-specific: yes
CVE ID : CVE-2013-1427
Debian Bug :
Stefan Bühler discovered that the Debian specific configuration file for
lighttpd webserver FastCGI PHP support used a fixed socket name in the
world-writable /tmp directory. A symlink attack or a race condition could be
exploited by a malicious user on the same machine to take over the PHP control
socket and for example force the webserver to use a different PHP version.
As the fix is in a configuration file lying in /etc, the update won't be
enforced if the file has been modified by the administrator. In that case, care
should be taken to manually apply the fix.
For the stable distribution (squeeze), this problem has been fixed in
version 1.4.28-2+squeeze1.3.
For the testing distribution (wheezy), this problem has been fixed in
version 1.4.31-4.
For the unstable distribution (sid), this problem has been fixed in
version 1.4.31-4.
We recommend that you upgrade your lighttpd packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRQ5OpAAoJEG3bU/KmdcClChwH+gIPrukTLA2IOjdgXBPiRhS6
46rJ1yGtoSMscVeJ9ILgT5wWjj+wFiYf5cfgWUUqjfCq3TcOEXtioul3rCShq4ht
zS+tp8CqltN80ZjXNzLV9X8ijvJ8tZyVRGFe+uroQSM3CUELU3Ykkeu7hr5EgQPE
B8PvrOhrvnPcPUZG4m9Dh92BDfbzv2CRWY51KH6t1/ZZNUHTH208hwENpsOeut3X
EbOGJzXgxWyWJCylnAc4Cp8WwCx36hhAU54msMyQxKu2NscGq8a4fmD3/uG98UjT
dDD/UlcDGh35OT/+plP5QWnG7ZLCUfTJlAG352DiaV9zegVBJE3f74nbAuKLJI8=
=CgMg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUZi1+4yVqjM2NGpAQId7xAAiZn+egzZ4QtIT7/JJx3EuXEYNA2424m7
lUb43ZZhH1uTdTCR1ua/kYxE0BKLu/Iv8I/a6rHlQjldINOE+0HlZuahFoqxezzH
S6k8ZOckQowD1K0QyQjxqXo/bbmhpNRWk8kTPkMdS+3M6Kiv/oTpIiCy1slC3+1f
1oDdLc8hg4ZqdXqo60XOZ/ob/zKWY/VlzmmpDjdDd4W2M2GU3jUK0U2xDG3gj8YP
XALyOw9AZK/UJE0U7nBwfLOuYHlQww23qixlzjTrUQoFG9c/Kmu5qfeVk6iAuSVl
l1XFWNieqQzHgli1YbbvLkdMJ84M3IX+y3y6CzHaCrKqEZHmr3no9E3itSQSk8Yd
06jJJVkvWY//b/X8uaBvqF7Jr1RorKkm5tFZPrgeYM7mYMrrQOZgYdWDFbmkqFZq
I+7YiK972/FTzu/DXJo9lcYOwLt7hvxxz1InmT0YCVZd0+ir8RGnd21vi35IAAsu
SSbc9R2gc7IGi3nyHsa3BgQcvyyY1Di/PMsVRDp5TRhj1JYwPN2nsZ16PN4zJ1Iz
Tvmkp482E1xqMpNwJXGI6lc/tVqThdJAGL2Pm2R7JOql3e0tMkXI/TNngkkAeUuN
L6phkmZN4B3uf1NlhhixRT/E0hZgV4ihBfNmCDU8xcrsbjeF2xBEd8aWEXMehDBS
IYl+7XxR+/A=
=T49e
-----END PGP SIGNATURE-----