stop 2016-08-06 4:36 GMT+02:00 Sebastien Delafond <[email protected]>:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------ > ------------- > Debian Security Advisory DSA-3642-1 [email protected] > https://www.debian.org/security/ Sebastien Delafond > August 05, 2016 https://www.debian.org/security/faq > - ------------------------------------------------------------ > ------------- > > Package : lighttpd > CVE ID : CVE-2016-1000212 > Debian Bug : 832571 > > Dominic Scheirlinck and Scott Geary of Vend reported insecure behavior > in the lighttpd web server. Lighttpd assigned Proxy header values from > client requests to internal HTTP_PROXY environment variables, allowing > remote attackers to carry out Man in the Middle (MITM) attacks or > initiate connections to arbitrary hosts. > > For the stable distribution (jessie), this problem has been fixed in > version 1.4.35-4+deb8u1. > > We recommend that you upgrade your lighttpd packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > > iQEcBAEBCgAGBQJXpUl8AAoJEBC+iYPz1Z1kSAgH/33qapB2nSi8kM2GD8KXYN6a > Obx5dPYS+awJsuhtgpz/kmDLkjPewMzoaR3AdU+pF+Nhx2kIORVCSXMdWE3ZwMEq > bmBeT8KvyVS6M9vs9pmyAE232rPjenCwai04nMH4yh1ri/MQCpePG8j1tE5k0ZjI > JRb7Ca+S1jB3Xm7NAtNU7plfIWKIhIfs7Tg8UXnVfQ0z6cApgyokwC/NL3B8pny2 > NZLfQG1lV0H707sAh39APrIrHy1lJkAHX6iMP4uQKxFITb6jftWDZVnl11uAtHzZ > wFLUmW2xitvOFcqySywF80I0riSJbZw/5dJabDnEYE1cTLWBZkxdBwAo1jmaJjA= > =GK8N > -----END PGP SIGNATURE----- > >
