openSUSE Security Update : lighttpd (openSUSE-2012-110)

medium Nessus Plugin ID 74546

Synopsis

The remote openSUSE host is missing a security update.

Description

- added lighttpd-1.4.30_head_fixes.patch: cherry picked 4 fixes from HEAD :

- [ssl] include more headers explicitly

- list all network handlers in lighttpd -V (fixes lighttpd#2376)

- Move fdevent subsystem includes to implementation files to reduce conflicts (fixes lighttpd#2373)

- [ssl] fix segfault in counting renegotiations for openssl versions without TLSEXT/SNI

- update to 1.4.30: (bnc#733607)

- Always use our ‘own’ md5 implementation, fixes linking issues on MacOS (fixes #2331)

- Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.

- [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled

- Add static-file.disable-pathinfo option to prevent handling of urls like …/secret.php/image.jpg as static file

- Don’t overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)

- Fix mod_status bug: always showed “0/0” in the “Read” column for uploads (fixes #2351)

- [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)

- [ssl] count renegotiations to prevent client renegotiations

- [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)

- [core] accept dots in ipv6 addresses in host header (fixes #2359)

- [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)

- [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324)

- add automake as buildrequire to avoid implicit dependency

Solution

Update the affected lighttpd packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=733607

Plugin Details

Severity: Medium

ID: 74546

File Name: openSUSE-2012-110.nasl

Version: 1.3

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:lighttpd, p-cpe:/a:novell:opensuse:lighttpd-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-debugsource, p-cpe:/a:novell:opensuse:lighttpd-mod_cml, p-cpe:/a:novell:opensuse:lighttpd-mod_cml-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-mod_geoip, p-cpe:/a:novell:opensuse:lighttpd-mod_geoip-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-mod_magnet, p-cpe:/a:novell:opensuse:lighttpd-mod_magnet-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost, p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool, p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl, p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl-debuginfo, p-cpe:/a:novell:opensuse:lighttpd-mod_webdav, p-cpe:/a:novell:opensuse:lighttpd-mod_webdav-debuginfo, cpe:/o:novell:opensuse:12.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2/13/2012

Reference Information

CVE: CVE-2011-4362