Computer Security
[EN] no-pyccku

lighthttpd security vulnerabilities
updated since 26.12.2011
SecurityVulns ID:12116
Threat Level:
Description:DoS on base64 parsing.
Affected:LIGHTTPD : lighttpd 1.4
CVE:CVE-2011-4362 (Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.)
 CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.)
Original documentdocumentpi3_(at), Lighttpd Proof of Concept code for CVE-2011-4362 (02.01.2012)
 documentDEBIAN, [SECURITY] [DSA 2368-1] lighttpd security update (26.12.2011)
Files:Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod