It was reported [1] that lighttpd's mod_mysql_vhost module is vulnerable to SQL injection attacks (CVE-2014-2323), and the mod_evhost or mod_simple_vhost modules are vulnerable to directory traversal attacks (CVE-2014-2324). More information can be found at [2]. This issue has been fixed in version 1.4.35 of lighttpd [3], and the patch is available at [4]. A workaround for this issue exists: * Disable the mod_mysql_vhost module. * Do not use the mod_evhost or mod_simple_vhost modules for IPv6 addresses as host names (i.e. don't have and don't allow creation of "[...]" directories in the base directories). [1] http://seclists.org/oss-sec/2014/q1/561 [2] http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt [3] http://www.lighttpd.net/2014/3/12/1.4.35/ [4] http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.34_fix_mysql_injection.patch
Created lighttpd tracking bugs for this issue: Affects: fedora-all [bug 1075710] Affects: epel-all [bug 1075711]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.