Headline
Ubuntu Security Notice USN-5903-1
Ubuntu Security Notice 5903-1 - It was discovered that lighttpd incorrectly handled certain inputs, which could result in a stack buffer overflow. A remote attacker could possibly use this issue to cause a denial of service.
=========================================================================Ubuntu Security Notice USN-5903-1February 28, 2023lighttpd vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in lighttpd.Software Description:- lighttpd: fast webserver with minimal memory footprintDetails:It was discovered that lighttpd incorrectly handled certain inputs, which couldresult in a stack buffer overflow. A remote attacker could possibly use thisissue to cause a denial of service (DoS). (CVE-2022-22707, CVE-2022-41556)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10: lighttpd 1.4.65-2ubuntu1.1Ubuntu 22.04 LTS: lighttpd 1.4.63-1ubuntu3.1Ubuntu 20.04 LTS: lighttpd 1.4.55-1ubuntu1.20.04.2After a standard system update you need to restart lighttpd to makeall the necessary changes.References: https://ubuntu.com/security/notices/USN-5903-1 CVE-2022-22707, CVE-2022-41556Package Information: https://launchpad.net/ubuntu/+source/lighttpd/1.4.65-2ubuntu1.1 https://launchpad.net/ubuntu/+source/lighttpd/1.4.63-1ubuntu3.1 https://launchpad.net/ubuntu/+source/lighttpd/1.4.55-1ubuntu1.20.04.2
Related news
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.