Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | |||
Test Kennung: | 1.3.6.1.4.1.25623.1.0.850583 |
Kategorie: | SuSE Local Security Checks |
Titel: | openSUSE: Security Advisory for lighttpd (openSUSE-SU-2014:0496-1) |
Zusammenfassung: | The remote host is missing an update for the 'lighttpd'; package(s) announced via the referenced advisory. |
Beschreibung: | Summary: The remote host is missing an update for the 'lighttpd' package(s) announced via the referenced advisory. Vulnerability Insight: lighttpd was updated to version 1.4.35, fixing bugs and security issues: CVE-2014-2323: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd allowed remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. CVE-2014-2323: Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd allowed remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. More information can be found on the referenced lighttpd advisory page. Other changes: * [network/ssl] fix build error if TLSEXT is disabled * [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active) * [mod_rrdtool] fix invalid read (string not null terminated) * [mod_dirlisting] fix memory leak if pcre fails * [mod_fastcgi, mod_scgi] fix resource leaks on spawning backends * [mod_magnet] fix memory leak * add comments for switch fall throughs * remove logical dead code * [buffer] fix length check in buffer_is_equal_right_len * fix resource leaks in error cases on config parsing and other initializations * add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546) * [mod_cml_lua] fix null pointer dereference * force assertion: setting FD_CLOEXEC must work (if available) * [network] check return value of lseek() * fix unchecked return values from stream_open/stat_cache_get_entry * [mod_webdav] fix logic error in handling file creation error * check length of unix domain socket filenames * fix SQL injection / host name validation (thx Jann Horn)for all the changes see /usr/share/doc/packages/lighttpd/NEWS Affected Software/OS: lighttpd on openSUSE 11.4 Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2014-2323 Debian Security Information: DSA-2877 (Google Search) http://www.debian.org/security/2014/dsa-2877 HPdes Security Advisory: HPSBGN03191 http://marc.info/?l=bugtraq&m=141576815022399&w=2 http://jvn.jp/en/jp/JVN37417423/index.html http://seclists.org/oss-sec/2014/q1/564 http://seclists.org/oss-sec/2014/q1/561 http://secunia.com/advisories/57404 http://secunia.com/advisories/57514 SuSE Security Announcement: SUSE-SU-2014:0474 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html SuSE Security Announcement: openSUSE-SU-2014:0449 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html SuSE Security Announcement: openSUSE-SU-2014:0496 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html Common Vulnerability Exposure (CVE) ID: CVE-2014-2324 BugTraq ID: 66157 http://www.securityfocus.com/bid/66157 |
Copyright | Copyright (C) 2014 Greenbone Networks GmbH |
Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |