FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  369686
Date:      2014-10-01
Time:      03:40:03Z
Committer: bdrewery

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
1a3bd81f-1b25-11df-bd1a-002170daae37lighttpd -- denial of service vulnerability

Lighttpd security advisory reports:

If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.


Discovery 2010-02-02
Entry 2010-02-16
lighttpd
lt 1.4.26

38036
CVE-2010-0295
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt
fb911e31-8ceb-11dd-bb29-000c6e274733lighttpd -- multiple vulnerabilities

Lighttpd seurity annoucement:

lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used to hide certain urls.

lighttpd 1.4.19, and possibly other versions before 1.5.0, does not lowercase the filename after generating it from the url in mod_userdir on case insensitive (file)systems.

As other modules are case sensitive, this may lead to information disclosure; for example if one configured php to handle files ending on ".php", an attacker will get the php source with http://example.com/~user/file.PHP

lighttpd 1.4.19 does not always release a header if it triggered a 400 (Bad Request) due to a duplicate header.


Discovery 2008-09-26
Entry 2008-09-27
Modified 2009-02-22
lighttpd
lt 1.4.19_3

31434
CVE-2008-4298
CVE-2008-4359
CVE-2008-4360
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
c6521b04-314b-11e1-9cf4-5404a67eef98lighttpd -- remote DoS in HTTP authentication

US-CERT/NIST reports:

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.


Discovery 2011-11-29
Entry 2011-12-28
lighttpd
lt 1.4.30

CVE-2011-4362
1a3bd81f-1b25-11df-bd1a-002170daae37lighttpd -- denial of service vulnerability

Lighttpd security advisory reports:

If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.


Discovery 2010-02-02
Entry 2010-02-16
lighttpd
lt 1.4.26

38036
CVE-2010-0295
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt
c6521b04-314b-11e1-9cf4-5404a67eef98lighttpd -- remote DoS in HTTP authentication

US-CERT/NIST reports:

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.


Discovery 2011-11-29
Entry 2011-12-28
lighttpd
lt 1.4.30

CVE-2011-4362
fb911e31-8ceb-11dd-bb29-000c6e274733lighttpd -- multiple vulnerabilities

Lighttpd seurity annoucement:

lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used to hide certain urls.

lighttpd 1.4.19, and possibly other versions before 1.5.0, does not lowercase the filename after generating it from the url in mod_userdir on case insensitive (file)systems.

As other modules are case sensitive, this may lead to information disclosure; for example if one configured php to handle files ending on ".php", an attacker will get the php source with http://example.com/~user/file.PHP

lighttpd 1.4.19 does not always release a header if it triggered a 400 (Bad Request) due to a duplicate header.


Discovery 2008-09-26
Entry 2008-09-27
Modified 2009-02-22
lighttpd
lt 1.4.19_3

31434
CVE-2008-4298
CVE-2008-4359
CVE-2008-4360
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt