Lighttpd SSL错误拒绝服务漏洞

基本字段

漏洞编号:
SSV-3182
披露/发现时间:
未知
提交时间:
2008-04-17
漏洞等级:
漏洞类别:
拒绝服务
影响组件:
lighttpd
(1.4.19)
漏洞作者:
未知
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 Knownsec 共获得  0KB

BUGTRAQ ID: 28489 CVE(CAN) ID: CVE-2008-1531

Lighttpd是一款轻型的开放源码Web Server软件包。

lighttpd没有正确地清除OpenSSL错误队列,如果远程攻击者可以触发SSL错误的话,如在下载结束前断开连接,lighttpd就可能断开所有活动的SSL连接。

LightTPD 1.4.19 厂商补丁:

Debian

Debian已经为此发布了一个安全公告(DSA-1540-2)以及相应补丁: DSA-1540-2:New lighttpd packages fix denial of service 链接:http://www.debian.org/security/2008/dsa-1540

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz Size/MD5 checksum: 37420 89efdab79fcbac119000a64cab648fcd http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc Size/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e

Architecture independent packages:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb Size/MD5 checksum: 99618 ae68b64b7c0df0f0b3a9d19b87e7c40a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 297300 19f5b871d2a9a483e1ecdaa2325c45cb http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 63586 750cf5f5d7671986b195366f2335c9cc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 63884 72ee2b52772010ae7c63a0a2b4761ff5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 59138 45672a1a3af65311693a3aee58be5566 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 69890 b84d4ea8c9af282e2aeeb5c05847a95a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 60742 f48ef372b71be1b2683d03b411c7e7cf

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 59896 60a4e61e9b5e2bafbf53474d677b36bb http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 323946 642f46921f99dfdf8e52ed3777847cbc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 61890 4feb260d9f611c26979872b49b09ebc1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 65000 2ce28ddd20bcd1bf407e14bae053537b http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 72946 33c93c114c3807d63bb18a5a9b3f33b9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 65520 82a4460351af3d4c8b9d84ec831bd006

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb Size/MD5 checksum: 63884 96876134f02cf6b3c5079d5deecca7d9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb Size/MD5 checksum: 59086 f928fd96f37229e72661fa7140a0daa9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb Size/MD5 checksum: 289088 477ce333d4a1b9f506645ff22193191f http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb Size/MD5 checksum: 70932 90cd2be30fb0f0e0ff97820e1b8c19f1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb Size/MD5 checksum: 63690 f5c320e1f272a52ec9354b27f5c36082 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb Size/MD5 checksum: 60846 0f30b9acbc10ec2c648edf19b8e41178

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb Size/MD5 checksum: 67508 8d853ada8818a91fa022e0dd52c19edf http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb Size/MD5 checksum: 63054 22a7de81eb0ec31a95632eb555a888c1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb Size/MD5 checksum: 77062 04cffb6683e4a3c92f5f48e8d2df5dd8 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb Size/MD5 checksum: 67366 0f9272c16ab8cf4e75129f5a3eaa5d71 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb Size/MD5 checksum: 403358 aefa2c83a3baf3ee9ae8ba1c6629e22e http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb Size/MD5 checksum: 61176 ea0d6334ab0904bddbbe9cf90a72ba9e

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb Size/MD5 checksum: 62658 8799ed08b706281b21814f559f858be9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb Size/MD5 checksum: 58572 7520f8302f2e0cb1ceed528d01c1aea7 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb Size/MD5 checksum: 62526 c75ac1e607ebcbc95ed03e8adb088dec http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb Size/MD5 checksum: 296088 f05c1b65de0bb165c1fa8ef749c1f60c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb Size/MD5 checksum: 59960 76b2266c789cad50fae1d751cc2be88c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb Size/MD5 checksum: 69236 61394a59d58c8f5f5c721a4085fee51e

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb Size/MD5 checksum: 59282 56363403b07fd8bb4ec4628c4607cd8b http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb Size/MD5 checksum: 63368 f8378c36175b9b3f87f038f45cad5e4d http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb Size/MD5 checksum: 70020 e7b073ea24c3de3404f69ad8dbdd43df http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb Size/MD5 checksum: 60762 cdb8770285645d0ea048b02fb866f63a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb Size/MD5 checksum: 63542 c5a4b5467b6917a7065e1ef6a57fd3a2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb Size/MD5 checksum: 297260 1d3b8cac9795b18e231e5f99a25d9f3b

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb Size/MD5 checksum: 71762 4465577bc817611ca87c7f21bc0d2642 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb Size/MD5 checksum: 65390 ac39f8d16559e8a4e8bd09a274c58895 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb Size/MD5 checksum: 65114 844e63058ca4968673e652684c37c309 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb Size/MD5 checksum: 323818 11066e5afd416b95a825212056d6d493 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb Size/MD5 checksum: 62462 4eeb054f0838cd87f8ff21b798dd1110 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb Size/MD5 checksum: 60644 0b547baa6b634ee3e606f58a1b503f26

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb Size/MD5 checksum: 307236 828090c5177429f28bdfcdc653aff701 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb Size/MD5 checksum: 64244 df43829d7d3a6cb956444e6c4123af6f http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb Size/MD5 checksum: 59580 f2d8a504078229d6a9c90ca2312736f2 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb Size/MD5 checksum: 61082 c73356530cb3936b5eaf0fa09b941bff http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb Size/MD5 checksum: 71368 15a98ad24b35b3a4461748b31d2408a7 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb Size/MD5 checksum: 64632 2e037627c148aaa336465a89f9b6cc99

补丁安装方法:

  1. 手工安装补丁包:

    首先,使用下面的命令来下载补丁软件:

    wget url (url是补丁下载链接地址)

    然后,使用下面的命令来安装补丁:

    dpkg -i file.deb (file是相应的补丁名)

  2. 使用apt-get自动安装补丁包:

    首先,使用下面的命令更新内部数据库:

    apt-get update

    然后,使用下面的命令安装更新软件包:

    apt-get upgrade

Gentoo

Gentoo已经为此发布了一个安全公告(GLSA-200804-08)以及相应补丁: GLSA-200804-08:lighttpd: Multiple vulnerabilities 链接:http://security.gentoo.org/glsa/glsa-200804-08.xml

所有lighttpd用户都应升级到最新版本:

# emerge --sync
# emerge --ask --oneshot --verbose ">=3Dwww-servers/lighttpd-1.4.19-r=2"

LightTPD

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://trac.lighttpd.net/trac/changeset/2136 http://trac.lighttpd.net/trac/changeset/2139

共 0  兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

官方解决方案

升级到最新无漏洞版本

防护方案

人气 1102
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负