GLSA-200708-11 : Lighttpd: Multiple vulnerabilities

High Nessus Plugin ID 25917


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200708-11 (Lighttpd: Multiple vulnerabilities)

Stefan Esser discovered errors with evidence of memory corruption in the code parsing the headers. Several independent researchers also reported errors involving the handling of HTTP headers, the mod_auth and mod_scgi modules, and the limitation of active connections.
Impact :

A remote attacker can trigger any of these vulnerabilities by sending malicious data to the server, which may lead to a crash or memory exhaustion, and potentially the execution of arbitrary code.
Additionally, access-deny settings can be evaded by appending a final / to a URL.
Workaround :

There is no known workaround at this time.


All Lighttpd users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.16'

See Also

Plugin Details

Severity: High

ID: 25917

File Name: gentoo_GLSA-200708-11.nasl

Version: $Revision: 1.12 $

Type: local

Published: 2007/08/21

Modified: 2015/04/13

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 8.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:lighttpd, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 2007/08/16

Vulnerability Publication Date: 2007/06/15

Reference Information

CVE: CVE-2007-3946, CVE-2007-3947, CVE-2007-3948, CVE-2007-3949, CVE-2007-3950

OSVDB: 38308, 38309, 38310, 38311, 38312, 38313, 38314, 38315, 38316, 38317, 38318

GLSA: 200708-11