Affected by security bug quite significant, lighttpd is still be vulnerable to Ubuntu repositories.
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
Hence a preview of the bug and my relative debdiff that will be placed in a circle in the mirror:
lighttpd
Vulnerable Version:
- Hardy
- Gutsy
- Feisty
- Edgy
- Dapper
CVE
Debdiff Relatives:
- hardy_lighttpd_1.4.18-1ubuntu6.debdiff (uploaded in hardy)
- gutsy_lighttpd_1.4.18-1ubuntu1.3.debdiff
- feisty_lighttpd_1.4.13-9ubuntu4.5.debdiff
- edgy_lighttpd_1.4.13~r1370-1ubuntu1.6.debdiff
- dapper_lighttpd_1.4.11-3ubuntu3.8.debdiff
« VLC security patch preview | Horde3 security patch preview »
Welcome to my blog, I'm Emanuele Gentili Ubuntu Security Developer. I like free software and hackers etic that permit me and all people to surf internet free.