Mageia alert MGASA-2015-0338 (lighttpd)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0338: Updated lighttpd packages fix CVE-2015-3200 & other bugs 
Date:
    	     
 
Tue, 8 Sep 2015 09:21:10 +0200
Message-ID:
    	     
 
<20150908072110.8EB8B48B1B@valstar.mageia.org>
MGASA-2015-0338 - Updated lighttpd packages fix CVE-2015-3200 & other bugs

Publication date: 08 Sep 2015
URL: http://advisories.mageia.org/MGASA-2015-0338.html
Type: security
Affected Mageia releases: 4, 5
CVE: CVE-2015-3200

Description:
Updated lighttpd packages fix security vulnerability:

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary
log entries via a basic HTTP authentication string without a colon character,
as demonstrated by a string containing a NULL and new line character
(CVE-2015-3200).

The lighttpd package has been updated to version 1.4.37, fixing this issue and
several other bugs.

In the Mageia 4 package, improvements have been made to the logrotate
configuration and systemd service, allowing graceful reloading of
configuration files and proper re-opening of log files (mga#15948, mga#15980).

References:
- https://bugs.mageia.org/show_bug.cgi?id=16555
- http://www.lighttpd.net/2015/7/26/1.4.36/
- http://www.lighttpd.net/2015/8/30/1.4.37/
- https://lists.fedoraproject.org/pipermail/package-announc...
- https://bugs.mageia.org/show_bug.cgi?id=15948
- https://bugs.mageia.org/show_bug.cgi?id=15980
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200

SRPMS:
- 4/core/lighttpd-1.4.37-1.mga4
- 5/core/lighttpd-1.4.37-1.mga5