[pkg-lighttpd] Bug#469307: lighttpd: CVE-2008-1111 reveals cgi source if the cgi handler fork fails

Nico Golde nion at debian.org
Tue Mar 4 15:25:34 UTC 2008

Package: lighttpd
Version: 1.4.13-4etch4
Severity: important
Tags: security patch

the following CVE (Common Vulnerabilities & Exposures) id was
published for lighttpd.

mod_cgi in lighttpd is going to send the source of a cgi 
script if forking the cgi handler fails for some reason. it 
should result in a 500 instead.
The default installation of Debian is not affected as it 
does not include the mod_cgi configuration but this should 
be fixed anyway.

You can find a patch for this on:

Note the CVE id is not yet available on the mitre site but 
it will be soon hopefully.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111

Kind regards

Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20080304/11583bb1/attachment.pgp 

More information about the pkg-lighttpd-maintainers mailing list