Several days ago there was a report about critical vulnerability in lighttpd's mod_fastcgi, which can lead to arbitrary code execution in fastcgi application.
This vulnerability is fixed in 1.4.18. In Ubuntu there's an update for lighttpd which fixes this vulnerability, so it's enough to apt-get update && apt-get upgrade. But still there's no update in Debian, so i just did following:
- apt-get build-dep lighttpd
- apt-get install libgamin-dev libterm-readline-perl-perl libterm-readkey-perl
- wget http://archive.ubuntu.com/ubuntu/pool/universe/l/lighttpd/lighttpd_1.4.13-9ubuntu4.2.dsc http://archive.ubuntu.com/ubuntu/pool/universe/l/lighttpd/lighttpd_1.4.13.orig.tar.gz http://archive.ubuntu.com/ubuntu/pool/universe/l/lighttpd/lighttpd_1.4.13-9ubuntu4.2.diff.gz
- dpkg-source -s ./lighttpd_1.4.13-9ubuntu4.2.dsc
- cd lighttpd-1.4.13; dpkg-buildpackage -uc -us
- dpkg -i ../lighttpd_1.4.13-9ubuntu4.2_i386.deb
Now I consider switching of Debian servers to Ubuntu
