Several vulnerabilities have been discovered in the lighttpd web server. It was discovered that SSL connections with client certificates stopped working after the DSA-2795-1 update of lighttpd. An upstream patch has now been applied that provides an appropriate identifier for client certificate verification. CVE-2013-4508 It was discovered that lighttpd uses weak ssl ciphers when SNI (Server Name Indication) is enabled. This issue was solved by ensuring that stronger ssl ciphers are used when SNI is selected. CVE-2013-4559 The clang static analyzer was used to discover privilege escalation issues due to missing checks around lighttpd's setuid, setgid, and setgroups calls. Those are now appropriately checked. CVE-2013-4560 The clang static analyzer was used to discover a use-after-free issue when the FAM stat cache engine is enabled, which is now fixed.

For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.5. For the stable distribution (wheezy), these problems have been fixed in version 1.4.31-4+deb7u2. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version lighttpd_1.4.33-1+nmu1. For the testing (jessie) and unstable (sid) distributions, the regression problem will be fixed soon. We recommend that you upgrade your lighttpd packages.

lighttpd is a small webserver and fast webserver developed with security in mind and a lot of features. It has support for * CGI, FastCGI and SSI * virtual hosts * URL rewriting * authentication (plain files, htpasswd, ldap) * transparent content compression * conditional configuration and configuration is straight-forward and easy.

lighttpd on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2795.html

---

Updated on 2015-03-25