SUSE-SU-2017:0731-1

UNKNOWN

Security update for lighttpd

Published Mar 17, 2017

Modified 8 years ago

Fix available

Details

This update for lighttpd fixes the following issues:

Security issues fixed:

CVE-2016-1000212: Don't allow requests to set the HTTP_PROXY variable. As *CGI apps might pick it up and use it for outgoing requests. (bsc#990847)
CVE-2015-3200: Log injection via malformed base64 string in Authentication header. (bsc#932286)

Bug fixes:

Add su directive to logrotate file as the directory is owned by lighttpd. (bsc#981347)
Fix out of bounds read in mod_scgi.

Affected Packages

lighttpd

SUSE Linux Enterprise High Availability Extension 11 SP4SUSE Linux Enterprise Server for SAP Applications 11 SP4SUSE Linux Enterprise Software Development Kit 11 SP4

Fixed in:

1.4.20-2.58.1

lighttpd-mod_cml

SUSE Linux Enterprise Server for SAP Applications 11 SP4SUSE Linux Enterprise Software Development Kit 11 SP4

Fixed in:

1.4.20-2.58.1

lighttpd-mod_magnet

SUSE Linux Enterprise Server for SAP Applications 11 SP4SUSE Linux Enterprise Software Development Kit 11 SP4

Fixed in:

1.4.20-2.58.1

lighttpd-mod_mysql_vhost

SUSE Linux Enterprise Server for SAP Applications 11 SP4SUSE Linux Enterprise Software Development Kit 11 SP4