Overview

File _patchinfo of Package patchinfo.4364

<patchinfo incident="4364">
  <issue id="932286" tracker="bnc">VUL-1: CVE-2015-3200: lighttpd: log injection via malformed base64 string in Authentication header</issue>
  <issue id="981347" tracker="bnc">VUL-1: lighttpd: logrotate configuration for lighttpd is missing "su" directive</issue>
  <issue id="990847" tracker="bnc">VUL-0: CVE-2016-1000212: lighttpd: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)</issue>
  <issue id="2015-3200" tracker="cve" />
  <issue id="2016-1000212" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>darix</packager>
  <description>
This update for lighttpd fixes the following issues:

Security issues fixed:
- CVE-2016-1000212: don't allow requests to set the HTTP_PROXY variable. As *CGI apps might pick it
  up and use it for outgoing requests (bsc#990847).
- CVE-2015-3200: log injection via malformed base64 string in Authentication header (bsc#932286).

Bugfixes:
- added su directive to logrotate file as the directory is owned by lighttpd. (bsc#981347)
- fix out of bounds read in mod_scgi (debian#857255)
</description>
  <summary>Security update for lighttpd</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places