It was reported  that lighttpd's mod_mysql_vhost module is vulnerable to SQL injection attacks (CVE-2014-2323), and the mod_evhost or mod_simple_vhost modules are vulnerable to directory traversal attacks (CVE-2014-2324). More information can be found at .
This issue has been fixed in version 1.4.35 of lighttpd , and the patch is available at .
A workaround for this issue exists:
* Disable the mod_mysql_vhost module.
* Do not use the mod_evhost or mod_simple_vhost modules for IPv6 addresses as host names (i.e. don't have and don't allow creation of "[...]" directories in the base directories).
Created lighttpd tracking bugs for this issue:
Affects: fedora-all [bug 1075710]
Affects: epel-all [bug 1075711]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.