[v2.5] CVE-2013-4508 CVE-2013-4559 CVE-2013-4560: lighttpd
Several vulnerabilities have been discovered in the lighttpd web server.
CVE-2013-4508
It was discovered that lighttpd uses weak ssl ciphers when SNI (Server
Name Indication) is enabled. This issue was solved by ensuring that
stronger ssl ciphers are used when SNI is selected.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913
CVE-2013-4559
The clang static analyzer was used to discover privilege escalation
issues due to missing checks around lighttpd’s setuid, setgid, and
setgroups calls. Those are now appropriately checked.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2923
CVE-2013-4560
The clang static analyzer was used to discover a use-after-free issue
when the FAM stat cache engine is enabled, which is now fixed.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2921
(from redmine: issue id 2352, created on 2013-11-14, closed on 2013-11-18)
- Relations:
- parent #2350 (closed)
- Changesets:
- Revision 97e3e4a2 by Natanael Copa on 2013-11-15T12:02:09Z:
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
fixes #2352