Security update for lighttpd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0731-1 Final 1 1 2017-03-17T14:07:47Z current 2017-03-17T14:07:47Z 2017-03-17T14:07:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lighttpd This update for lighttpd fixes the following issues: Security issues fixed: - CVE-2016-1000212: Don't allow requests to set the HTTP_PROXY variable. As *CGI apps might pick it up and use it for outgoing requests. (bsc#990847) - CVE-2015-3200: Log injection via malformed base64 string in Authentication header. (bsc#932286) Bug fixes: - Add su directive to logrotate file as the directory is owned by lighttpd. (bsc#981347) - Fix out of bounds read in mod_scgi. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-lighttpd-13033,slehasp4-lighttpd-13033,slesappsp4-lighttpd-13033 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170731-1/ Link for SUSE-SU-2017:0731-1 https://lists.suse.com/pipermail/sle-security-updates/2017-March/002711.html E-Mail link for SUSE-SU-2017:0731-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/932286 SUSE Bug 932286 https://bugzilla.suse.com/981347 SUSE Bug 981347 https://bugzilla.suse.com/990847 SUSE Bug 990847 https://www.suse.com/security/cve/CVE-2015-3200/ SUSE CVE CVE-2015-3200 page https://www.suse.com/security/cve/CVE-2016-1000212/ SUSE CVE CVE-2016-1000212 page SUSE Linux Enterprise High Availability Extension 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-1.4.20-2.58.1 lighttpd-mod_cml-1.4.20-2.58.1 lighttpd-mod_magnet-1.4.20-2.58.1 lighttpd-mod_mysql_vhost-1.4.20-2.58.1 lighttpd-mod_rrdtool-1.4.20-2.58.1 lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 lighttpd-mod_webdav-1.4.20-2.58.1 lighttpd-1.4.20-2.58.1 as a component of SUSE Linux Enterprise High Availability Extension 11 SP4 lighttpd-mod_cml-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 lighttpd-mod_magnet-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 lighttpd-mod_mysql_vhost-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 lighttpd-mod_rrdtool-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 lighttpd-mod_webdav-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 lighttpd-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-mod_cml-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-mod_magnet-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-mod_mysql_vhost-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-mod_rrdtool-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 lighttpd-mod_webdav-1.4.20-2.58.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character. CVE-2015-3200 SUSE Linux Enterprise High Availability Extension 11 SP4:lighttpd-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_cml-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_magnet-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_mysql_vhost-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_rrdtool-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_webdav-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_cml-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_magnet-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_mysql_vhost-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_rrdtool-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_webdav-1.4.20-2.58.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170731-1/ https://www.suse.com/security/cve/CVE-2015-3200.html CVE-2015-3200 https://bugzilla.suse.com/932286 SUSE Bug 932286 unknown CVE-2016-1000212 SUSE Linux Enterprise High Availability Extension 11 SP4:lighttpd-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_cml-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_magnet-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_mysql_vhost-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_rrdtool-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:lighttpd-mod_webdav-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_cml-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_magnet-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_mysql_vhost-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_rrdtool-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_trigger_b4_dl-1.4.20-2.58.1 SUSE Linux Enterprise Software Development Kit 11 SP4:lighttpd-mod_webdav-1.4.20-2.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170731-1/ https://www.suse.com/security/cve/CVE-2016-1000212.html CVE-2016-1000212 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/990847 SUSE Bug 990847