Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2014-299)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.120162

Kategorie: Amazon Linux Local Security Checks

Titel: Amazon Linux: Security Advisory (ALAS-2014-299)

Zusammenfassung: The remote host is missing an update announced via the referenced Security Advisory.

Beschreibung: Summary:
The remote host is missing an update announced via the referenced Security Advisory.

Vulnerability Insight:
Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures. lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

Solution:
Run yum update lighttpd to update your system.

CVSS Score:
7.6

CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2013-4560
Debian Security Information: DSA-2795 (Google Search)
https://www.debian.org/security/2013/dsa-2795
HPdes Security Advisory: HPSBGN03191
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://jvn.jp/en/jp/JVN37417423/index.html
http://www.openwall.com/lists/oss-security/2013/11/12/4
http://secunia.com/advisories/55682
SuSE Security Announcement: openSUSE-SU-2014:0072 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-4508
http://openwall.com/lists/oss-security/2013/11/04/19
Common Vulnerability Exposure (CVE) ID: CVE-2013-4559

Copyright Copyright (C) 2015 Eero Volotinen

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.120162
Kategorie:	Amazon Linux Local Security Checks
Titel:	Amazon Linux: Security Advisory (ALAS-2014-299)
Zusammenfassung:	The remote host is missing an update announced via the referenced Security Advisory.
Beschreibung:	Summary: The remote host is missing an update announced via the referenced Security Advisory. Vulnerability Insight: Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures. lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached. Solution: Run yum update lighttpd to update your system. CVSS Score: 7.6 CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2013-4560 Debian Security Information: DSA-2795 (Google Search) https://www.debian.org/security/2013/dsa-2795 HPdes Security Advisory: HPSBGN03191 http://marc.info/?l=bugtraq&m=141576815022399&w=2 http://jvn.jp/en/jp/JVN37417423/index.html http://www.openwall.com/lists/oss-security/2013/11/12/4 http://secunia.com/advisories/55682 SuSE Security Announcement: openSUSE-SU-2014:0072 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html Common Vulnerability Exposure (CVE) ID: CVE-2013-4508 http://openwall.com/lists/oss-security/2013/11/04/19 Common Vulnerability Exposure (CVE) ID: CVE-2013-4559
Copyright	Copyright (C) 2015 Eero Volotinen