Summary: | <www-servers/lighttpd-1.4.35 : sql injection and directory traversal (CVE-2014-2323) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hwoarang, wired |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-12 16:06:15 UTC
1.4.35 is in the tree. Please allow a few days for people to try it before you CC arches. CVE-2014-2323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2323): SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. Arches, please test and mark stable: =www-servers/lighttpd-1.4.35 target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Stable for HPPA. amd64 stable arm stable x86 stable ppc stable alpha stable ppc64 stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please vote. + 06 Jun 2014; Mikle Kolyada <zlogene@gentoo.org> -lighttpd-1.4.32-r3.ebuild, + -lighttpd-1.4.34.ebuild: + Drop insecure versions + Added to existing glsa draft. This issue was resolved and addressed in GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml by GLSA coordinator Sergey Popov (pinkbyte). |