Red Hat Bugzilla – Bug 435805
CVE-2008-1111 lighttpd CGI source disclosure
Last modified: 2009-10-23 15:06:45 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1111 to the following vulnerability:
When mod_cgi running onlighttpd is unable to fork anymore (for instance if
ulimit is reached) lighty sends the full source of the cgi script. This is
rather serious and affects all users of mod_cgi. The patch (found at lighttpd's
subversion repository) returns a 500 response instead.
lighttpd-1.4.18-6.fc8 has been submitted as an update for Fedora 8
lighttpd-1.4.18-3.fc7 has been submitted as an update for Fedora 7
lighttpd-1.4.18-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.18-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Reporter changed to email@example.com by request of Jay Turner.