 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.702795 |
| Category: | Debian Local Security Checks |
| Title: | Debian: Security Advisory (DSA-2795-1) |
| Summary: | The remote host is missing an update for the Debian 'lighttpd' package(s) announced via the DSA-2795-1 advisory. |
| Description: | Summary: The remote host is missing an update for the Debian 'lighttpd' package(s) announced via the DSA-2795-1 advisory. Vulnerability Insight: Several vulnerabilities have been discovered in the lighttpd web server. It was discovered that SSL connections with client certificates stopped working after the DSA-2795-1 update of lighttpd. An upstream patch has now been applied that provides an appropriate identifier for client certificate verification. CVE-2013-4508 It was discovered that lighttpd uses weak ssl ciphers when SNI (Server Name Indication) is enabled. This issue was solved by ensuring that stronger ssl ciphers are used when SNI is selected. CVE-2013-4559 The clang static analyzer was used to discover privilege escalation issues due to missing checks around lighttpd's setuid, setgid, and setgroups calls. Those are now appropriately checked. CVE-2013-4560 The clang static analyzer was used to discover a use-after-free issue when the FAM stat cache engine is enabled, which is now fixed. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.5. For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u2. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version lighttpd_1.4.33-1+nmu1. For the testing (jessie) and unstable (sid) distributions, the regression problem will be fixed soon. We recommend that you upgrade your lighttpd packages. Affected Software/OS: 'lighttpd' package(s) on Debian 6, Debian 7. Solution: Please install the updated package(s). CVSS Score: 7.6 CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2013-4508 DSA-2795 https://www.debian.org/security/2013/dsa-2795 HPSBGN03191 http://marc.info/?l=bugtraq&m=141576815022399&w=2 JVN#37417423 http://jvn.jp/en/jp/JVN37417423/index.html [oss-security] 20131104 Re: CVE Request: lighttpd using vulnerable cipher suites with SNI http://openwall.com/lists/oss-security/2013/11/04/19 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt http://redmine.lighttpd.net/issues/2525 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/ openSUSE-SU-2014:0072 http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html Common Vulnerability Exposure (CVE) ID: CVE-2013-4559 55682 http://secunia.com/advisories/55682 [oss-security] 20131112 Re: CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free) http://www.openwall.com/lists/oss-security/2013/11/12/4 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt https://kc.mcafee.com/corporate/index?page=content&id=SB10310 Common Vulnerability Exposure (CVE) ID: CVE-2013-4560 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt |
| Copyright | Copyright (C) 2013 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |