Vulnerabilities > CVE-2008-1531 - Denial of Service vulnerability in Lighttpd SSL Error
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2008-3343.NASL description This update fixes a bug where a user could kill another user last seen 2020-06-01 modified 2020-06-02 plugin id 32094 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32094 title Fedora 7 : lighttpd-1.4.19-4.fc7 (2008-3343) NASL family SuSE Local Security Checks NASL id SUSE_LIGHTTPD-5216.NASL description An error in one SSL connection could lead to termination of all SSL connections (CVE-2008-1531) last seen 2020-06-01 modified 2020-06-02 plugin id 32129 published 2008-05-02 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32129 title openSUSE 10 Security Update : lighttpd (lighttpd-5216) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1AC77649090811DD974D000FEA2763CE.NASL description Secunia reports : A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to lighttpd not properly clearing the OpenSSL error queue. This can be exploited to close concurrent SSL connections of lighttpd by terminating one SSL connection. last seen 2020-06-01 modified 2020-06-02 plugin id 31953 published 2008-04-17 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31953 title FreeBSD : lighttpd -- OpenSSL Error Queue Denial of Service Vulnerability (1ac77649-0908-11dd-974d-000fea2763ce) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200804-08.NASL description The remote host is affected by the vulnerability described in GLSA-200804-08 (lighttpd: Multiple vulnerabilities) Julien Cayzax discovered that an insecure default setting exists in mod_userdir in lighttpd. When userdir.path is not set the default value used is $HOME. It should be noted that the last seen 2020-06-01 modified 2020-06-02 plugin id 31955 published 2008-04-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31955 title GLSA-200804-08 : lighttpd: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2008-3376.NASL description This update fixes a bug where a user could kill another user last seen 2020-06-01 modified 2020-06-02 plugin id 32100 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32100 title Fedora 8 : lighttpd-1.4.19-4.fc8 (2008-3376) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1540.NASL description It was discovered that lighttpd, a fast webserver with minimal memory footprint, didn last seen 2020-06-01 modified 2020-06-02 plugin id 31810 published 2008-04-11 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31810 title Debian DSA-1540-1 : lighttpd - denial of service NASL family Web Servers NASL id LIGHTTPD_1_4_20.NASL description According to its banner, the version of lighttpd running on the remote host is prior to 1.4.20. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the connection_state_machine() function that is triggered when disconnecting before a download has finished. An unauthenticated, remote attacker can exploit this to cause all active SSL connections to be lost. (CVE-2008-1531) - A memory leak flaw exists in the http_request_parse() function. An unauthenticated, remote attacker can exploit this, via a large number of requests with duplicate request headers, to cause a denial of service condition. (CVE-2008-4298) - A security bypass vulnerability exists due to comparing URIs to patterns in url.redirect and url.rewrite configuration settings before performing URL decoding. An unauthenticated, remote attacker can exploit this to bypass intended access restrictions, resulting in the disclosure or modification of sensitive data. (CVE-2008-4359) - A security bypass vulnerability exists in mod_userdir due to performing case-sensitive comparisons even on case-insensitive operating systems and file systems. An unauthenticated, remote attacker can exploit this to bypass intended access restrictions, resulting in the disclosure of sensitive information. (CVE-2008-4360) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 34332 published 2008-10-03 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34332 title lighttpd < 1.4.20 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2008-4119.NASL description This update fixes a bug where a user could kill another user last seen 2020-06-01 modified 2020-06-02 plugin id 32386 published 2008-05-20 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32386 title Fedora 9 : lighttpd-1.4.19-4.fc9 (2008-4119)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28489 CVE(CAN) ID: CVE-2008-1531 Lighttpd是一款轻型的开放源码Web Server软件包。 lighttpd没有正确地清除OpenSSL错误队列,如果远程攻击者可以触发SSL错误的话,如在下载结束前断开连接,lighttpd就可能断开所有活动的SSL连接。 LightTPD 1.4.19 厂商补丁: Debian ------ Debian已经为此发布了一个安全公告(DSA-1540-2)以及相应补丁: DSA-1540-2:New lighttpd packages fix denial of service 链接:<a href=http://www.debian.org/security/2008/dsa-1540 target=_blank>http://www.debian.org/security/2008/dsa-1540</a> 补丁下载: Source archives: <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz</a> Size/MD5 checksum: 37420 89efdab79fcbac119000a64cab648fcd <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz</a> Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc</a> Size/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e Architecture independent packages: <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb</a> Size/MD5 checksum: 99618 ae68b64b7c0df0f0b3a9d19b87e7c40a amd64 architecture (AMD x86_64 (AMD64)) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb</a> Size/MD5 checksum: 297300 19f5b871d2a9a483e1ecdaa2325c45cb <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb</a> Size/MD5 checksum: 63586 750cf5f5d7671986b195366f2335c9cc <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb</a> Size/MD5 checksum: 63884 72ee2b52772010ae7c63a0a2b4761ff5 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb</a> Size/MD5 checksum: 59138 45672a1a3af65311693a3aee58be5566 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb</a> Size/MD5 checksum: 69890 b84d4ea8c9af282e2aeeb5c05847a95a <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb</a> Size/MD5 checksum: 60742 f48ef372b71be1b2683d03b411c7e7cf hppa architecture (HP PA RISC) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb</a> Size/MD5 checksum: 59896 60a4e61e9b5e2bafbf53474d677b36bb <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb</a> Size/MD5 checksum: 323946 642f46921f99dfdf8e52ed3777847cbc <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb</a> Size/MD5 checksum: 61890 4feb260d9f611c26979872b49b09ebc1 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb</a> Size/MD5 checksum: 65000 2ce28ddd20bcd1bf407e14bae053537b <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb</a> Size/MD5 checksum: 72946 33c93c114c3807d63bb18a5a9b3f33b9 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb</a> Size/MD5 checksum: 65520 82a4460351af3d4c8b9d84ec831bd006 i386 architecture (Intel ia32) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb</a> Size/MD5 checksum: 63884 96876134f02cf6b3c5079d5deecca7d9 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb</a> Size/MD5 checksum: 59086 f928fd96f37229e72661fa7140a0daa9 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb</a> Size/MD5 checksum: 289088 477ce333d4a1b9f506645ff22193191f <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb</a> Size/MD5 checksum: 70932 90cd2be30fb0f0e0ff97820e1b8c19f1 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb</a> Size/MD5 checksum: 63690 f5c320e1f272a52ec9354b27f5c36082 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb</a> Size/MD5 checksum: 60846 0f30b9acbc10ec2c648edf19b8e41178 ia64 architecture (Intel ia64) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb</a> Size/MD5 checksum: 67508 8d853ada8818a91fa022e0dd52c19edf <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb</a> Size/MD5 checksum: 63054 22a7de81eb0ec31a95632eb555a888c1 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb</a> Size/MD5 checksum: 77062 04cffb6683e4a3c92f5f48e8d2df5dd8 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb</a> Size/MD5 checksum: 67366 0f9272c16ab8cf4e75129f5a3eaa5d71 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb</a> Size/MD5 checksum: 403358 aefa2c83a3baf3ee9ae8ba1c6629e22e <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb</a> Size/MD5 checksum: 61176 ea0d6334ab0904bddbbe9cf90a72ba9e mips architecture (MIPS (Big Endian)) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb</a> Size/MD5 checksum: 62658 8799ed08b706281b21814f559f858be9 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb</a> Size/MD5 checksum: 58572 7520f8302f2e0cb1ceed528d01c1aea7 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb</a> Size/MD5 checksum: 62526 c75ac1e607ebcbc95ed03e8adb088dec <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb</a> Size/MD5 checksum: 296088 f05c1b65de0bb165c1fa8ef749c1f60c <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb</a> Size/MD5 checksum: 59960 76b2266c789cad50fae1d751cc2be88c <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb</a> Size/MD5 checksum: 69236 61394a59d58c8f5f5c721a4085fee51e mipsel architecture (MIPS (Little Endian)) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb</a> Size/MD5 checksum: 59282 56363403b07fd8bb4ec4628c4607cd8b <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb</a> Size/MD5 checksum: 63368 f8378c36175b9b3f87f038f45cad5e4d <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb</a> Size/MD5 checksum: 70020 e7b073ea24c3de3404f69ad8dbdd43df <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb</a> Size/MD5 checksum: 60762 cdb8770285645d0ea048b02fb866f63a <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb</a> Size/MD5 checksum: 63542 c5a4b5467b6917a7065e1ef6a57fd3a2 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb</a> Size/MD5 checksum: 297260 1d3b8cac9795b18e231e5f99a25d9f3b powerpc architecture (PowerPC) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb</a> Size/MD5 checksum: 71762 4465577bc817611ca87c7f21bc0d2642 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb</a> Size/MD5 checksum: 65390 ac39f8d16559e8a4e8bd09a274c58895 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb</a> Size/MD5 checksum: 65114 844e63058ca4968673e652684c37c309 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb</a> Size/MD5 checksum: 323818 11066e5afd416b95a825212056d6d493 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb</a> Size/MD5 checksum: 62462 4eeb054f0838cd87f8ff21b798dd1110 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb</a> Size/MD5 checksum: 60644 0b547baa6b634ee3e606f58a1b503f26 s390 architecture (IBM S/390) <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb</a> Size/MD5 checksum: 307236 828090c5177429f28bdfcdc653aff701 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb</a> Size/MD5 checksum: 64244 df43829d7d3a6cb956444e6c4123af6f <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb</a> Size/MD5 checksum: 59580 f2d8a504078229d6a9c90ca2312736f2 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb</a> Size/MD5 checksum: 61082 c73356530cb3936b5eaf0fa09b941bff <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb</a> Size/MD5 checksum: 71368 15a98ad24b35b3a4461748b31d2408a7 <a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb</a> Size/MD5 checksum: 64632 2e037627c148aaa336465a89f9b6cc99 补丁安装方法: 1. 手工安装补丁包: 首先,使用下面的命令来下载补丁软件: # wget url (url是补丁下载链接地址) 然后,使用下面的命令来安装补丁: # dpkg -i file.deb (file是相应的补丁名) 2. 使用apt-get自动安装补丁包: 首先,使用下面的命令更新内部数据库: # apt-get update 然后,使用下面的命令安装更新软件包: # apt-get upgrade Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA-200804-08)以及相应补丁: GLSA-200804-08:lighttpd: Multiple vulnerabilities 链接:<a href=http://security.gentoo.org/glsa/glsa-200804-08.xml target=_blank>http://security.gentoo.org/glsa/glsa-200804-08.xml</a> 所有lighttpd用户都应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose ">=3Dwww-servers/lighttpd-1.4.19-r=2" LightTPD -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://trac.lighttpd.net/trac/changeset/2136 target=_blank>http://trac.lighttpd.net/trac/changeset/2136</a> <a href=http://trac.lighttpd.net/trac/changeset/2139 target=_blank>http://trac.lighttpd.net/trac/changeset/2139</a> |
| id | SSV:3182 |
| last seen | 2017-11-19 |
| modified | 2008-04-17 |
| published | 2008-04-17 |
| reporter | Root |
| title | Lighttpd SSL错误拒绝服务漏洞 |
References
- http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
- http://secunia.com/advisories/29505
- http://secunia.com/advisories/29544
- http://secunia.com/advisories/29636
- http://secunia.com/advisories/29649
- http://secunia.com/advisories/30023
- http://security.gentoo.org/glsa/glsa-200804-08.xml
- http://trac.lighttpd.net/trac/changeset/2136
- http://trac.lighttpd.net/trac/changeset/2139
- http://trac.lighttpd.net/trac/changeset/2140
- http://trac.lighttpd.net/trac/ticket/285#comment:18
- http://trac.lighttpd.net/trac/ticket/285#comment:21
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132
- http://www.debian.org/security/2008/dsa-1540
- http://www.osvdb.org/43788
- http://www.securityfocus.com/archive/1/490323/100/0/threaded
- http://www.securityfocus.com/bid/28489
- http://www.vupen.com/english/advisories/2008/1063/references
- https://bugs.gentoo.org/show_bug.cgi?id=214892
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41545
- https://issues.rpath.com/browse/RPL-2407
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html