openSUSE Security Update : lighttpd (openSUSE-2012-110)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- added lighttpd-1.4.30_head_fixes.patch: cherry picked 4
fixes from HEAD :

- [ssl] include more headers explicitly

- list all network handlers in lighttpd -V (fixes
lighttpd#2376)

- Move fdevent subsystem includes to implementation files
to reduce conflicts (fixes lighttpd#2373)

- [ssl] fix segfault in counting renegotiations for
openssl versions without TLSEXT/SNI

- update to 1.4.30: (bnc#733607)

- Always use our ‘own’ md5 implementation,
fixes linking issues on MacOS (fixes #2331)

- Limit amount of bytes we send in one go; fixes stalling
in one connection and timeouts on slow systems.

- [ssl] fix build errors when Elliptic-Curve
Diffie-Hellman is disabled

- Add static-file.disable-pathinfo option to prevent
handling of urls like …/secret.php/image.jpg as
static file

- Don’t overwrite 401 (auth required) with 501
(unknown method) (fixes #2341)

- Fix mod_status bug: always showed “0/0” in
the “Read” column for uploads (fixes #2351)

- [mod_auth] Fix signedness error in http_auth (fixes
#2370, CVE-2011-4362)

- [ssl] count renegotiations to prevent client
renegotiations

- [ssl] add option to honor server cipher order (fixes
#2364, BEAST attack)

- [core] accept dots in ipv6 addresses in host header
(fixes #2359)

- [ssl] fix ssl connection aborts if files are larger than
the MAX_WRITE_LIMIT (256kb)

- [libev/cgi] fix waitpid ECHILD errors in cgi with libev
(fixes #2324)

- add automake as buildrequire to avoid implicit
dependency

See also :

https://bugzilla.novell.com/show_bug.cgi?id=733607

Solution :

Update the affected lighttpd packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 74546 ()

Bugtraq ID:

CVE ID: CVE-2011-4362

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now