CVE-2013-4508 CVE-2013-4559 CVE-2013-4560: lighttpd
Several vulnerabilities have been discovered in the lighttpd web server.
CVE-2013-4508
It was discovered that lighttpd uses weak ssl ciphers when SNI (Server
Name Indication) is enabled. This issue was solved by ensuring that
stronger ssl ciphers are used when SNI is selected.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913
CVE-2013-4559
The clang static analyzer was used to discover privilege escalation
issues due to missing checks around lighttpd’s setuid, setgid, and
setgroups calls. Those are now appropriately checked.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2923
CVE-2013-4560
The clang static analyzer was used to discover a use-after-free issue
when the FAM stat cache engine is enabled, which is now fixed.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2921
(from redmine: issue id 2350, created on 2013-11-14, closed on 2013-11-18)
- Relations:
- child #2351 (closed)
- child #2352 (closed)
- child #2353 (closed)
- child #2354 (closed)
- Changesets:
- Revision 6164d3a4 by Natanael Copa on 2013-11-15T11:47:13Z:
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
- Revision de7e59e7 by Natanael Copa on 2013-11-15T11:48:48Z:
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
fixes #2354
- Revision 0889a351 by Natanael Copa on 2013-11-15T11:59:43Z:
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
fixes #2353
- Revision 97e3e4a2 by Natanael Copa on 2013-11-15T12:02:09Z:
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
fixes #2352
- Revision 0238d087 by Natanael Copa on 2013-11-15T12:09:55Z:
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
fixes #2351