Alpine: multiple lighttpd packages: security update to 1.4.33-r2 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401109

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote
attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive
information by sniffing the network. (CVE-2013-4508)

- lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups
functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to
gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when
the user process limit is reached. (CVE-2013-4559)

- Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of
service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures.
(CVE-2013-4560)

See Also

https://git.alpinelinux.org/aports/commit/?id=47578fcc859119fe477efa740c2639092828cacc

https://git.alpinelinux.org/aports/commit/?id=6164d3a4445a58197b45c1fa3ee7f979d1a3cc10

Plugin Details

Severity: High

ID: 401109

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2013-4559

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2013-4508

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/15/2013

Vulnerability Publication Date: 11/1/2013

Reference Information

CVE: CVE-2013-4508, CVE-2013-4559, CVE-2013-4560

BID: 63534, 63686, 63688