ports/129472: [vuxml] www/lighttpd: document CVE-2008-{4298, 4359, 4360}

[Eygene Ryabinkin]

>Number:         129472
>Category:       ports
>Synopsis:       [vuxml] www/lighttpd: document CVE-2008-{4298,4359,4360}
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 06 20:50:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

Multiple issues were fixed in lighttpd 1.4.20:
  http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
  http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
  http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
Port was updated in October 2008 (ports/127861), but VuXML entry
was not created.

>How-To-Repeat:

Look at the above URLs.

>Fix:

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="594d0c5c-c3d4-11dd-b08d-001fc66e7203">
    <topic>lighttpd -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>lighttpd</name>
        <range><lt>1.4.20</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Multiple issues were fixed in lighttpd 1.4.20:</p>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298">
          <p>Memory leak in the http_request_parse function in request.c
          in lighttpd before 1.4.20 allows remote attackers to cause a
          denial of service (memory consumption) via a large number of
          requests with duplicate request headers.</p>
        </blockquote>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359">
          <p>lighttpd before 1.4.20 compares URIs to patterns in the (1)
          url.redirect and (2) url.rewrite configuration settings before
          performing URL decoding, which might allow remote attackers to
          bypass intended access restrictions, and obtain sensitive
          information or possibly modify data.</p>
        </blockquote>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360">
          <p>mod_userdir in lighttpd before 1.4.20, when a
          case-insensitive operating system or filesystem is used,
          performs case-sensitive comparisons on filename components in
          configuration options, which might allow remote attackers to
          bypass intended access restrictions, as demonstrated by a
          request for a .PHP file when there is a configuration rule for
          .php files.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-4298</cvename>
      <cvename>CVE-2008-4359</cvename>
      <cvename>CVE-2008-4360</cvename>
      <url>http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt</url>
      <url>http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt</url>
      <url>http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt</url>
    </references>
    <dates>
      <discovery>02-12-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: