绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

Lighttpd SSL错误拒绝服务漏洞

发布日期：2008-03-27
更新日期：2008-04-16

受影响系统：

LightTPD LightTPD 1.4.19

描述：

BUGTRAQ  ID: 28489
CVE(CAN) ID: CVE-2008-1531

Lighttpd是一款轻型的开放源码Web Server软件包。

lighttpd没有正确地清除OpenSSL错误队列，如果远程攻击者可以触发SSL错误的话，如在下载结束前断开连接，lighttpd就可能断开所有活动的SSL连接。

<*来源：Marton Illes

  链接：http://secunia.com/advisories/29544/
        https://bugs.gentoo.org/show_bug.cgi?format=multiple&id=214892
        http://trac.lighttpd.net/trac/ticket/285
        http://www.debian.org/security/2008/dsa-1540
        http://security.gentoo.org/glsa/glsa-200804-08.xml
        http://www.debian.org/security/2008/dsa-1540
*>

建议：

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1540-3）以及相应补丁:
DSA-1540-3：New lighttpd packages fix regression
链接：http://www.debian.org/security/2008/dsa-1540

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.diff.gz
Size/MD5 checksum:    36023 5421eda86388cddf30348ee39c8b2059
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
Size/MD5 checksum:   793309 3a64323b8482b0e8a6246dbfdb4c39dc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.dsc
Size/MD5 checksum:     1392 6011ac4224ab8ff0c1c9355f30ab11a9

Architecture independent packages:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch10_all.deb
Size/MD5 checksum:   100096 416759ae3a223ab799bbc7b264329600

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_alpha.deb
Size/MD5 checksum:   319874 0b138412935fb92f57bf968d075a05c1
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_alpha.deb
Size/MD5 checksum:    64968 5357d1c9aad4f5f5c03016d708670164
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_alpha.deb
Size/MD5 checksum:    65408 03933a616584ab63c0e59e652856b99c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_alpha.deb
Size/MD5 checksum:    60148 8ed6ab0f02706ba339813f160cac356d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_alpha.deb
Size/MD5 checksum:    61924 7171b0c3a9542b33a73b38e9b2ac516d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_alpha.deb
Size/MD5 checksum:    71890 3d4973ba1c5e8d4938a35f7247e1cdbf

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_amd64.deb
Size/MD5 checksum:    70182 7ab5aa294cc9a9949ec81c850dddafee
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_amd64.deb
Size/MD5 checksum:    60978 961bc12a093309e50684188b2e948461
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_amd64.deb
Size/MD5 checksum:    64116 c745249a7e7e42d0abdd3c7761ffb086
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_amd64.deb
Size/MD5 checksum:    59368 aceae8b5e32229cf22de3d3b34344ba9
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_amd64.deb
Size/MD5 checksum:   297762 f6cf537e673702bc7f801a697368a5bc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_amd64.deb
Size/MD5 checksum:    63822 9345b068868eb6209ec440d58ce86c55

arm architecture (ARM)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_arm.deb
Size/MD5 checksum:   286920 d13637f537de06b137194407064ac0a9
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_arm.deb
Size/MD5 checksum:    69928 a3f8604454dcdd7c7b8ae9f11302e833
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_arm.deb
Size/MD5 checksum:    61044 773180da5b9fc10d1d9d2dd414249ff5
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_arm.deb
Size/MD5 checksum:    58916 c794ba700e98dacb27bab69f64c9e149
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_arm.deb
Size/MD5 checksum:    63308 5e657e92c3da9916dbbaee9c4a03f018
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_arm.deb
Size/MD5 checksum:    63104 08e2941228b962c26c3a32bf0e86d32a

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_hppa.deb
Size/MD5 checksum:    60160 69f1cd388dd12927944a18bc13ac2bfd
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_hppa.deb
Size/MD5 checksum:    65266 01e1a4431148a150b7f9d8a7686c00f2
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_hppa.deb
Size/MD5 checksum:    62150 0330b4725c3f6d0c3cd75c52d568a555
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_hppa.deb
Size/MD5 checksum:    65772 cd104584c07c3a20e476c4ab2bc16031
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_hppa.deb
Size/MD5 checksum:    73212 53e4b9752c555a2fd0b415d37f62c3f0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_hppa.deb
Size/MD5 checksum:   324330 2d95d0da6c2b87dbf0b985eb1ab8f807

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_i386.deb
Size/MD5 checksum:   285396 caed89abf2b41aa96f854f391eeab7dd
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_i386.deb
Size/MD5 checksum:    64088 8747d075d8b21d458e54cd08fa7e02b1
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_i386.deb
Size/MD5 checksum:    59226 71056ae49ca30f121a53196e801a6909
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_i386.deb
Size/MD5 checksum:    60962 a5f38b66f5375006217d89e7dd0290be
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_i386.deb
Size/MD5 checksum:    63880 f5d9d6d0df4bde78a971363fcd91bd2e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_i386.deb
Size/MD5 checksum:    71204 4b26fd15200ef37037762c2f48d58ca1

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_ia64.deb
Size/MD5 checksum:    61422 0c2d54f7b9b8aa11899ef4a3e312690e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_ia64.deb
Size/MD5 checksum:    63300 8fbe3eb055b99f3834b2dfb58f7ff070
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_ia64.deb
Size/MD5 checksum:    67756 a5c0845befc3de72d9e2289e90384f64
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_ia64.deb
Size/MD5 checksum:    77322 091bff45fac447c7bd5288c6cdf56b20
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_ia64.deb
Size/MD5 checksum:    67606 b1325f224d1b54eb65f2125e98e82424
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_ia64.deb
Size/MD5 checksum:   403688 ae0e8104305b96517d08f5aea77a4606

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_mips.deb
Size/MD5 checksum:    60232 724ec494cc69548b8890880b7d248dba
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_mips.deb
Size/MD5 checksum:    58848 3a6d7d458cb1c949115d3ad12d562138
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_mips.deb
Size/MD5 checksum:    62926 193df4731bdc1ee1073714abe1d29114
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_mips.deb
Size/MD5 checksum:    62800 e4c88318acfbe7f050ea4f1ed4681ebb
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_mips.deb
Size/MD5 checksum:    69510 3f5b26527058dd16c4655c0ecde35512
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_mips.deb
Size/MD5 checksum:   296630 75f466488f83f207f40e6f4f5f46574e

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_mipsel.deb
Size/MD5 checksum:    61016 abe2b0c52a6296920a2e2fce95349202
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_mipsel.deb
Size/MD5 checksum:   297784 e8a0ff63ef6a03ac95cf7c40b8e1b430
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_mipsel.deb
Size/MD5 checksum:    59536 76c9889ec0027e00d9afe83d092d0d83
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_mipsel.deb
Size/MD5 checksum:    63806 7b2d63f55b325ea9a1412a1c570dd3a3
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_mipsel.deb
Size/MD5 checksum:    70284 be38504e52300160c540dc6bcd41430e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_mipsel.deb
Size/MD5 checksum:    63632 9ab20f0ac90dec49e4821bf2e3f2e352

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_powerpc.deb
Size/MD5 checksum:    65662 914158dc357223cfbcdf4d8dccaa0750
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_powerpc.deb
Size/MD5 checksum:   324318 ed2ab4940c84fa3d7f1a50f713a4f2a9
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_powerpc.deb
Size/MD5 checksum:    65382 895629ee1afc700d0df7977329708327
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_powerpc.deb
Size/MD5 checksum:    60898 b93e6ec96fc740ee8d5c41f42cf61775
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_powerpc.deb
Size/MD5 checksum:    62720 ddfda8e2b596cc362e13374f0b3184c0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_powerpc.deb
Size/MD5 checksum:    72022 c36a5c17592f362d264da046c86719f4

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_s390.deb
Size/MD5 checksum:    59834 b3b2274d0693571453277e07b007d317
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_s390.deb
Size/MD5 checksum:   307604 efdcb28b7c72dd651fbef3cd29c0b2b0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_s390.deb
Size/MD5 checksum:    64888 5ee5c58eb8137e16d7cc5a5051e1e681
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_s390.deb
Size/MD5 checksum:    61336 97649501fee31f896dbf0a04bc557e67
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_s390.deb
Size/MD5 checksum:    64498 d808433a519c3b935e3377be7fe3200b
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_s390.deb
Size/MD5 checksum:    71628 b3157f215944ad2e823bfe3faa0d1850

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_sparc.deb
Size/MD5 checksum:    70228 f5e3eaf4c778339568a0e5a4b50a2c71
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_sparc.deb
Size/MD5 checksum:    60764 d994ef00d45e45df2903629946c0b631
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_sparc.deb
Size/MD5 checksum:    63660 5b044502ef80613f1cd9a713ac4cf90c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_sparc.deb
Size/MD5 checksum:   284744 a56972a3ea97aa4189ada9abec79a4be
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_sparc.deb
Size/MD5 checksum:    59114 db674bf22be34eead049277cc5882d66
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_sparc.deb
Size/MD5 checksum:    63682 2b3f4d7c52fe9cc8c9122df0bd46f7c3

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update

   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

Gentoo
------
Gentoo已经为此发布了一个安全公告（GLSA-200804-08）以及相应补丁:
GLSA-200804-08：lighttpd: Multiple vulnerabilities
链接：http://security.gentoo.org/glsa/glsa-200804-08.xml

所有lighttpd用户都应升级到最新版本：

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=3Dwww-servers/lighttpd-1.4.19-r=2"

LightTPD
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://trac.lighttpd.net/trac/changeset/2136
http://trac.lighttpd.net/trac/changeset/2139

浏览次数：3787
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客