Bug 850469 - (CVE-2013-4560) VUL-0: CVE-2013-4560: lighttpd: possible remote DoS
(CVE-2013-4560)
VUL-0: CVE-2013-4560: lighttpd: possible remote DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:55424 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-14 13:58 UTC by Victor Pereira
Modified: 2015-02-19 01:34 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-11-14 13:58:44 UTC
CVE-2013-4560


If FAMMonitorDirectory fails, the memory intended to store the context is 
released; some lines below the "version" compoment of that context is read.
Reading invalid data doesn't matter, but the memory access could trigger a 
segfault.


References:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4560
https://bugzilla.redhat.com/show_bug.cgi?id=1029664
Comment 1 Swamp Workflow Management 2013-11-14 14:04:30 UTC
The SWAMPID for this issue is 55104.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-28.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Swamp Workflow Management 2013-11-15 23:00:10 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-12-03 08:28:16 UTC
ping?
Comment 4 Marcus Rückert 2013-12-11 11:22:48 UTC
submitted for all distros.
Comment 6 Sebastian Krahmer 2014-01-13 12:03:57 UTC
only opensuse left to release. closing
Comment 7 Swamp Workflow Management 2014-01-13 14:49:36 UTC
Update released for: lighttpd, lighttpd-debuginfo, lighttpd-debugsource, lighttpd-mod_cml, lighttpd-mod_magnet, lighttpd-mod_mysql_vhost, lighttpd-mod_rrdtool, lighttpd-mod_trigger_b4_dl, lighttpd-mod_webdav
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-HAE 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
Comment 8 Swamp Workflow Management 2014-01-13 15:45:40 UTC
Update released for: lighttpd, lighttpd-debuginfo, lighttpd-debugsource, lighttpd-mod_cml, lighttpd-mod_magnet, lighttpd-mod_mysql_vhost, lighttpd-mod_rrdtool, lighttpd-mod_trigger_b4_dl, lighttpd-mod_webdav
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-HAE 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 9 Swamp Workflow Management 2014-01-15 16:06:00 UTC
openSUSE-SU-2014:0072-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 849059,850468,850469
CVE References: CVE-2013-4508,CVE-2013-4559,CVE-2013-4560
Sources used:
openSUSE 13.1 (src):    lighttpd-1.4.32-2.5.1
openSUSE 12.3 (src):    lighttpd-1.4.31-6.5.1
openSUSE 12.2 (src):    lighttpd-1.4.31-4.13.1
Comment 10 Swamp Workflow Management 2014-01-15 17:04:50 UTC
openSUSE-SU-2014:0074-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 790258,849059,850468,850469
CVE References: CVE-2012-5533
Sources used:
openSUSE 11.4 (src):    lighttpd-1.4.32-37.1