Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.
The Common Vulnerabilities and Exposures project identifies the following
problems:
- CVE-2008-4298
A memory leak in the http_request_parse function could be used by
remote attackers to cause lighttpd to consume memory, and cause a
denial of service attack.
- CVE-2008-4359
Inconsistant handling of URL patterns could lead to the disclosure
of resources a server administrator did not anticipate when using
rewritten URLs.
- CVE-2008-4360
Upon filesystems which don’t handle case-insensitive paths differently
it might be possible that unanticipated resources could be made available
by mod_userdir.
For the stable distribution (etch), these problems have been fixed in version
1.4.13-4etch11.
For the unstable distribution (sid), these problems will be fixed shortly.
We recommend that you upgrade your lighttpd package.