Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4359 to the following vulnerability: lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. Affected versions: all versions before 1.4.20 (1.5 before r2310) Upstream advisory: http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt Upstream bug report: http://trac.lighttpd.net/trac/ticket/1720 Upstream patches (1.4.x): http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch http://trac.lighttpd.net/trac/changeset/2278 (rewrite) http://trac.lighttpd.net/trac/changeset/2309 (redirect) References: http://openwall.com/lists/oss-security/2008/09/30/1
Rawhide version lighttpd-1.4.20-0.1.r2303.fc10 contains mod_rewrite part of the fix, but is missing mod_redirect part.
lighttpd-1.4.20-6.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/lighttpd-1.4.20-6.fc9
lighttpd-1.4.20-6.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/lighttpd-1.4.20-6.fc8
Forgot to close this report. Closing now, as 1.4.22 is being pushed to F-9+.