lighttpd 보안 업데이트
Web Browser 로는 FTP 접속이 불가능 합니다.
문서번호 : 1204813265
업데이트 : 2008.03.06
상세내용
lighttpd 1.4.18-6 보안 업데이트
. CVE-2008-1111
When mod_cgi running onlighttpd is unable to fork anymore (for instance if
ulimit is reached) lighty sends the full source of the cgi script. This is
rather serious and affects all users of mod_cgi. The patch (found at lighttpd's
subversion repository) returns a 500 response instead.
업데이트 사항
- remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
- prevent crash in certain php-fcgi configurations (#841)
- remove compress cache file if compression or write failed (#1150)
- generate etag/last-modified header for on-the-fly-compressed files (#1171)
- req-method OPTIONS: do not insert default response if request was denied, do not
deny OPTIONS by default (#1324)
- fixed initgroups() called after chroot (#1384)
- do not suppress content on "307 Temporary Redirect" (#1412)
- fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
- execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
- reset conditional cache (#1164)
- do not add Accept-Ranges header if range-request is disabled (#1449)
- fixed case-sensitive check for Auth-Method (#1456)
- fixed a bug that made /-prefixed extensions being handled also when
matching the end of the uri in fcgi,scgi and proxy modules (#1489)
- log the ip of failed auth tries in error.log (enhancement #1544)
- fixed out of range access in fd array (#1562, #372)
- check for symlinks after successful pathinfo matching (#1574)
- spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
- fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
Autoupdates 지원 : Pakcages System 이용
pkgadd -F lighttpd
update 패키지
RPMS :
. lighttpd-1.4.18-6.i686.rpm
SRPMS :
. lighttpd-1.4.18-6.src.rpm
참고 :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111
https://bugs.gentoo.org/show_bug.cgi?id=211956
http://trac.lighttpd.net/trac/changeset/2107
|