{"id":"MGASA-2013-0334","summary":"Updated lighttpd packages fix multiple security vulnerbilities","details":"Updated lighttpd packages fix security vulnerabilities:\n\nlighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which\nmakes it easier for remote attackers to hijack sessions by inserting packets\ninto the client-server data stream or obtain sensitive information by sniffing\nthe network (CVE-2013-4508).\n\nIn lighttpd before 1.4.34, if setuid() fails for any reason, for instance if an\nenvironment limits the number of processes a user can have and the target uid\nalready is at the limit, lighttpd will run as root. A user who can run CGI\nscripts could clone() often; in this case a lighttpd restart would end up with\nlighttpd running as root, and the CGI scripts would run as root too\n(CVE-2013-4559).\n\nIn lighttpd before 1.4.34, if \"fam\" is enabled and there are directories\nreachable from configured doc roots and aliases on which FAMMonitorDirectory\nfails, a remote client could trigger a DoS (CVE-2013-4560).\n","modified":"2026-04-16T06:22:53.685442065Z","published":"2013-11-20T20:36:53Z","upstream":["CVE-2013-4508","CVE-2013-4559","CVE-2013-4560"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0334.html"},{"type":"WEB","url":"http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt"},{"type":"WEB","url":"http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt"},{"type":"WEB","url":"http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt"},{"type":"WEB","url":"http://www.debian.org/security/2013/dsa-2795"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=11662"}],"affected":[{"package":{"name":"lighttpd","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/lighttpd?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.30-5.3.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0334.json"}},{"package":{"name":"lighttpd","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/lighttpd?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.32-3.6.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0334.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}