CVE-2008-4359
Published: 3 October 2008
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
Notes
Author | Note |
---|---|
jdstrand | according to http://redmine.lighttpd.net/issues/show/1720, the upstream patch has been reverted due to too many regressions. As such, future versions will need to be checked to ensure it is fixed |
Priority
Status
Package | Release | Status |
---|---|---|
lighttpd Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
feisty |
Ignored
(end of life)
|
|
gutsy |
Ignored
(end of life)
|
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life)
|
|
jaunty |
Not vulnerable
(1.4.19-5ubuntu6)
|
|
karmic |
Not vulnerable
(1.4.19-5ubuntu6)
|
|
lucid |
Not vulnerable
(1.4.19-5ubuntu6)
|
|
maverick |
Not vulnerable
(1.4.19-5ubuntu6)
|
|
natty |
Not vulnerable
(1.4.19-5ubuntu6)
|
|
oneiric |
Not vulnerable
(1.4.19-5ubuntu6)
|
|
upstream |
Released
(1.4.19-5)
|
|
Patches: debdiff: https://bugs.launchpad.net/ubuntu/jaunty/+source/lighttpd/+bug/279490 |