lighttpd security patch preview
Affected by security bug quite significant, lighttpd is still be vulnerable to Ubuntu repositories.
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
Hence a preview of the bug and my relative debdiff that will be placed in a circle in the mirror:
lighttpd
Vulnerable Version:
- Hardy
- Gutsy
- Feisty
- Edgy
- Dapper
CVE
Debdiff Relatives: