BUGTRAQ ID: 28489
CVE(CAN) ID: CVE-2008-1531
Lighttpd是一款轻型的开放源码Web Server软件包。
lighttpd没有正确地清除OpenSSL错误队列,如果远程攻击者可以触发SSL错误的话,如在下载结束前断开连接,lighttpd就可能断开所有活动的SSL连接。
LightTPD 1.4.19
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1540-2)以及相应补丁:
DSA-1540-2:New lighttpd packages fix denial of service
链接:<a href=http://www.debian.org/security/2008/dsa-1540 target=_blank>http://www.debian.org/security/2008/dsa-1540</a>
补丁下载:
Source archives:
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz</a>
Size/MD5 checksum: 37420 89efdab79fcbac119000a64cab648fcd
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz</a>
Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc</a>
Size/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e
Architecture independent packages:
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb</a>
Size/MD5 checksum: 99618 ae68b64b7c0df0f0b3a9d19b87e7c40a
amd64 architecture (AMD x86_64 (AMD64))
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb</a>
Size/MD5 checksum: 297300 19f5b871d2a9a483e1ecdaa2325c45cb
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb</a>
Size/MD5 checksum: 63586 750cf5f5d7671986b195366f2335c9cc
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb</a>
Size/MD5 checksum: 63884 72ee2b52772010ae7c63a0a2b4761ff5
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb</a>
Size/MD5 checksum: 59138 45672a1a3af65311693a3aee58be5566
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb</a>
Size/MD5 checksum: 69890 b84d4ea8c9af282e2aeeb5c05847a95a
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb</a>
Size/MD5 checksum: 60742 f48ef372b71be1b2683d03b411c7e7cf
hppa architecture (HP PA RISC)
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb</a>
Size/MD5 checksum: 59896 60a4e61e9b5e2bafbf53474d677b36bb
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb</a>
Size/MD5 checksum: 323946 642f46921f99dfdf8e52ed3777847cbc
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb</a>
Size/MD5 checksum: 61890 4feb260d9f611c26979872b49b09ebc1
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb</a>
Size/MD5 checksum: 65000 2ce28ddd20bcd1bf407e14bae053537b
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb</a>
Size/MD5 checksum: 72946 33c93c114c3807d63bb18a5a9b3f33b9
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb</a>
Size/MD5 checksum: 65520 82a4460351af3d4c8b9d84ec831bd006
i386 architecture (Intel ia32)
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb</a>
Size/MD5 checksum: 63884 96876134f02cf6b3c5079d5deecca7d9
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb</a>
Size/MD5 checksum: 59086 f928fd96f37229e72661fa7140a0daa9
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb</a>
Size/MD5 checksum: 289088 477ce333d4a1b9f506645ff22193191f
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb</a>
Size/MD5 checksum: 70932 90cd2be30fb0f0e0ff97820e1b8c19f1
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_i386.deb</a>
Size/MD5 checksum: 63690 f5c320e1f272a52ec9354b27f5c36082
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_i386.deb</a>
Size/MD5 checksum: 60846 0f30b9acbc10ec2c648edf19b8e41178
ia64 architecture (Intel ia64)
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_ia64.deb</a>
Size/MD5 checksum: 67508 8d853ada8818a91fa022e0dd52c19edf
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_ia64.deb</a>
Size/MD5 checksum: 63054 22a7de81eb0ec31a95632eb555a888c1
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_ia64.deb</a>
Size/MD5 checksum: 77062 04cffb6683e4a3c92f5f48e8d2df5dd8
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_ia64.deb</a>
Size/MD5 checksum: 67366 0f9272c16ab8cf4e75129f5a3eaa5d71
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_ia64.deb</a>
Size/MD5 checksum: 403358 aefa2c83a3baf3ee9ae8ba1c6629e22e
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_ia64.deb</a>
Size/MD5 checksum: 61176 ea0d6334ab0904bddbbe9cf90a72ba9e
mips architecture (MIPS (Big Endian))
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mips.deb</a>
Size/MD5 checksum: 62658 8799ed08b706281b21814f559f858be9
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mips.deb</a>
Size/MD5 checksum: 58572 7520f8302f2e0cb1ceed528d01c1aea7
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mips.deb</a>
Size/MD5 checksum: 62526 c75ac1e607ebcbc95ed03e8adb088dec
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mips.deb</a>
Size/MD5 checksum: 296088 f05c1b65de0bb165c1fa8ef749c1f60c
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mips.deb</a>
Size/MD5 checksum: 59960 76b2266c789cad50fae1d751cc2be88c
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mips.deb</a>
Size/MD5 checksum: 69236 61394a59d58c8f5f5c721a4085fee51e
mipsel architecture (MIPS (Little Endian))
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_mipsel.deb</a>
Size/MD5 checksum: 59282 56363403b07fd8bb4ec4628c4607cd8b
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_mipsel.deb</a>
Size/MD5 checksum: 63368 f8378c36175b9b3f87f038f45cad5e4d
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_mipsel.deb</a>
Size/MD5 checksum: 70020 e7b073ea24c3de3404f69ad8dbdd43df
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_mipsel.deb</a>
Size/MD5 checksum: 60762 cdb8770285645d0ea048b02fb866f63a
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_mipsel.deb</a>
Size/MD5 checksum: 63542 c5a4b5467b6917a7065e1ef6a57fd3a2
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_mipsel.deb</a>
Size/MD5 checksum: 297260 1d3b8cac9795b18e231e5f99a25d9f3b
powerpc architecture (PowerPC)
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_powerpc.deb</a>
Size/MD5 checksum: 71762 4465577bc817611ca87c7f21bc0d2642
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_powerpc.deb</a>
Size/MD5 checksum: 65390 ac39f8d16559e8a4e8bd09a274c58895
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_powerpc.deb</a>
Size/MD5 checksum: 65114 844e63058ca4968673e652684c37c309
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_powerpc.deb</a>
Size/MD5 checksum: 323818 11066e5afd416b95a825212056d6d493
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_powerpc.deb</a>
Size/MD5 checksum: 62462 4eeb054f0838cd87f8ff21b798dd1110
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_powerpc.deb</a>
Size/MD5 checksum: 60644 0b547baa6b634ee3e606f58a1b503f26
s390 architecture (IBM S/390)
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_s390.deb</a>
Size/MD5 checksum: 307236 828090c5177429f28bdfcdc653aff701
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_s390.deb</a>
Size/MD5 checksum: 64244 df43829d7d3a6cb956444e6c4123af6f
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_s390.deb</a>
Size/MD5 checksum: 59580 f2d8a504078229d6a9c90ca2312736f2
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_s390.deb</a>
Size/MD5 checksum: 61082 c73356530cb3936b5eaf0fa09b941bff
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_s390.deb</a>
Size/MD5 checksum: 71368 15a98ad24b35b3a4461748b31d2408a7
<a href=http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb target=_blank>http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_s390.deb</a>
Size/MD5 checksum: 64632 2e037627c148aaa336465a89f9b6cc99
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200804-08)以及相应补丁:
GLSA-200804-08:lighttpd: Multiple vulnerabilities
链接:<a href=http://security.gentoo.org/glsa/glsa-200804-08.xml target=_blank>http://security.gentoo.org/glsa/glsa-200804-08.xml</a>
所有lighttpd用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=3Dwww-servers/lighttpd-1.4.19-r=2"
LightTPD
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=http://trac.lighttpd.net/trac/changeset/2136 target=_blank>http://trac.lighttpd.net/trac/changeset/2136</a>
<a href=http://trac.lighttpd.net/trac/changeset/2139 target=_blank>http://trac.lighttpd.net/trac/changeset/2139</a>
京公网安备 11010502034610号
暂无评论