Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0395 lighttpd security update 18 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: lighttpd Publisher: Debian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Debian GNU/Linux 6 Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-1427 Original Bulletin: http://www.debian.org/security/2013/dsa-2649 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running lighttpd check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2649-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez March 15, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : lighttpd Vulnerability : fixed socket name in world-writable directory Problem type : local Debian-specific: yes CVE ID : CVE-2013-1427 Debian Bug : Stefan Bühler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control socket and for example force the webserver to use a different PHP version. As the fix is in a configuration file lying in /etc, the update won't be enforced if the file has been modified by the administrator. In that case, care should be taken to manually apply the fix. For the stable distribution (squeeze), this problem has been fixed in version 1.4.28-2+squeeze1.3. For the testing distribution (wheezy), this problem has been fixed in version 1.4.31-4. For the unstable distribution (sid), this problem has been fixed in version 1.4.31-4. We recommend that you upgrade your lighttpd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRQ5OpAAoJEG3bU/KmdcClChwH+gIPrukTLA2IOjdgXBPiRhS6 46rJ1yGtoSMscVeJ9ILgT5wWjj+wFiYf5cfgWUUqjfCq3TcOEXtioul3rCShq4ht zS+tp8CqltN80ZjXNzLV9X8ijvJ8tZyVRGFe+uroQSM3CUELU3Ykkeu7hr5EgQPE B8PvrOhrvnPcPUZG4m9Dh92BDfbzv2CRWY51KH6t1/ZZNUHTH208hwENpsOeut3X EbOGJzXgxWyWJCylnAc4Cp8WwCx36hhAU54msMyQxKu2NscGq8a4fmD3/uG98UjT dDD/UlcDGh35OT/+plP5QWnG7ZLCUfTJlAG352DiaV9zegVBJE3f74nbAuKLJI8= =CgMg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUUZi1+4yVqjM2NGpAQId7xAAiZn+egzZ4QtIT7/JJx3EuXEYNA2424m7 lUb43ZZhH1uTdTCR1ua/kYxE0BKLu/Iv8I/a6rHlQjldINOE+0HlZuahFoqxezzH S6k8ZOckQowD1K0QyQjxqXo/bbmhpNRWk8kTPkMdS+3M6Kiv/oTpIiCy1slC3+1f 1oDdLc8hg4ZqdXqo60XOZ/ob/zKWY/VlzmmpDjdDd4W2M2GU3jUK0U2xDG3gj8YP XALyOw9AZK/UJE0U7nBwfLOuYHlQww23qixlzjTrUQoFG9c/Kmu5qfeVk6iAuSVl l1XFWNieqQzHgli1YbbvLkdMJ84M3IX+y3y6CzHaCrKqEZHmr3no9E3itSQSk8Yd 06jJJVkvWY//b/X8uaBvqF7Jr1RorKkm5tFZPrgeYM7mYMrrQOZgYdWDFbmkqFZq I+7YiK972/FTzu/DXJo9lcYOwLt7hvxxz1InmT0YCVZd0+ir8RGnd21vi35IAAsu SSbc9R2gc7IGi3nyHsa3BgQcvyyY1Di/PMsVRDp5TRhj1JYwPN2nsZ16PN4zJ1Iz Tvmkp482E1xqMpNwJXGI6lc/tVqThdJAGL2Pm2R7JOql3e0tMkXI/TNngkkAeUuN L6phkmZN4B3uf1NlhhixRT/E0hZgV4ihBfNmCDU8xcrsbjeF2xBEd8aWEXMehDBS IYl+7XxR+/A= =T49e -----END PGP SIGNATURE-----