lighttpd

• Author: vmiklos
• Vulnerable: 1.4.18-2
• Unaffected: 1.4.19-1kalgan1

Some security issues have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information.

1. A security issue is caused due to an error in mod_cgi, which can lead to the disclosure of source code when lighttpd is unable to fork.
2. A security issue is caused due to the mod_userdir module using “$HOME” by default if no userdir.path is set. This can be exploited to disclose the content of arbitrary files on certain systems via e.g. the “nobody” user.

• Bug Tracker URL: http://bugs.frugalware.org/task/2844

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1270