Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] FLEA-2007-0011-1: lighttpd

from [Foresight Linux Essential Announcement Service] Network Security [Permanent Link]
Subject: [Full-disclosure] FLEA-2007-0011-1: lighttpd
Date: Fri, 20 Apr 2007 15:46:13 -0400 
Foresight Linux Essential Advisory: 2007-0011-1
Published: 2007-04-20

Rating: Moderate

Updated Versions:
     lighttpd=/conary.rpath.com@rpl:devel//1/1.4.15-0.1-1
     group-dist=/foresight.rpath.org@fl:1-devel//1/1.2.1-0.1-3

References:
     https://issues.rpath.com/browse/RPL-1218
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1869
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1870

Description:
     Previous versions of the lighttpd package are vulnerable to two denial of 
service attacks.  One is a remote denial of service that can cause lighttpd to 
consume all available CPU time and stop serving requests, and the other is a 
denial of service attack which generally requires a local user to create a file 
with an mtime of 0; the lighttpd daemon will crash when attempting to serve 
that 
file. This crash does not enable any arbitrary or directed code execution; 
however, since the rAA service (Foresight System Manager) uses lighttpd by 
default, and rAA is configured to start by default, all Foresight systems are 
vulnerable to this DoS by default. Once lighttpd has been crashed or made to 
stop serving requests, subsequent updates using the Foresight System Manager 
(rAA) will not occur.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, Micheal Espinola Jr
Next by Date:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, James Matthews
Previous by Thread:  [Full-disclosure] FLEA-2007-0010-1: evolution, Foresight Linux Essential Announcement Service
Next by Thread:  [Full-disclosure] FLEA-2007-0012-1: madwifi, Foresight Linux Essential Announcement Service
Indexes:  [Date] [Thread] [Top] [All Lists]