Vulnerability   
Search   
    Search 191973 CVE descriptions
and 86218 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.702795
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 2795-2 (lighttpd - several vulnerabilities)
Summary:Several vulnerabilities have been discovered in the lighttpd web server.;;It was discovered that SSL connections with client certificates;stopped working after the DSA-2795-1 update of lighttpd. An upstream;patch has now been applied that provides an appropriate identifier for;client certificate verification.;;CVE-2013-4508;It was discovered that lighttpd uses weak ssl ciphers when SNI (Server;Name Indication) is enabled. This issue was solved by ensuring that;stronger ssl ciphers are used when SNI is selected.;;CVE-2013-4559;The clang static analyzer was used to discover privilege escalation;issues due to missing checks around lighttpd's setuid, setgid, and;setgroups calls. Those are now appropriately checked.;;CVE-2013-4560;The clang static analyzer was used to discover a use-after-free issue;when the FAM stat cache engine is enabled, which is now fixed.
Description:Summary:
Several vulnerabilities have been discovered in the lighttpd web server.

It was discovered that SSL connections with client certificates
stopped working after the DSA-2795-1 update of lighttpd. An upstream
patch has now been applied that provides an appropriate identifier for
client certificate verification.

CVE-2013-4508
It was discovered that lighttpd uses weak ssl ciphers when SNI (Server
Name Indication) is enabled. This issue was solved by ensuring that
stronger ssl ciphers are used when SNI is selected.

CVE-2013-4559
The clang static analyzer was used to discover privilege escalation
issues due to missing checks around lighttpd's setuid, setgid, and
setgroups calls. Those are now appropriately checked.

CVE-2013-4560
The clang static analyzer was used to discover a use-after-free issue
when the FAM stat cache engine is enabled, which is now fixed.

Affected Software/OS:
lighttpd on Debian Linux

Solution:
For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.28-2+squeeze1.5.

For the stable distribution (wheezy), these problems have been fixed in
version 1.4.31-4+deb7u2.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version lighttpd_1.4.33-1+nmu1.

For the testing (jessie) and unstable (sid) distributions, the regression
problem will be fixed soon.

We recommend that you upgrade your lighttpd packages.

CVSS Score:
7.6

CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-4508
Debian Security Information: DSA-2795 (Google Search)
https://www.debian.org/security/2013/dsa-2795
HPdes Security Advisory: HPSBGN03191
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://openwall.com/lists/oss-security/2013/11/04/19
SuSE Security Announcement: openSUSE-SU-2014:0072 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-4560
http://www.openwall.com/lists/oss-security/2013/11/12/4
http://secunia.com/advisories/55682
Common Vulnerability Exposure (CVE) ID: CVE-2013-4559
CopyrightCopyright (C) 2013 Greenbone Networks GmbH http://greenbone.net

This is only one of 86218 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.