Vulnerable to symlink attack notice while trying to upgrade lighttpd. Post: 302854913

Sponsored Content

Operating Systems Linux Debian Vulnerable to symlink attack notice while trying to upgrade lighttpd. Post 302854913 by Jonathan Sander on Wednesday 18th of September 2013 03:35:39 PM

09-18-2013

Registered User

Vulnerable to symlink attack notice while trying to upgrade lighttpd.

I got this while I tried to upgrade my server and have been unable to find any explanations for what I could do while I have searched after an solution. I were an bit uncertain about how to search for an answer and have tried with some searches that I think should have been good enough as well with searches much like "symlink attack", "forged php attack". I can not understand that I could have modified the file /etc/lighttpd/conf-available/15-fastcgi-php.conf and have therefore not changed the file by setting the "socket" => "/var/run/lighttpd/php.socket". Could someone please tell me how to fix this issue that seem to appear each time my upgrade are about to deal with the lighttpd package.

Quote:

lighttpd (1.4.28-2+squeeze1.3) stable-security; urgency=high

The default Debian configuration file for PHP invoked from FastCGI was
vulnerable to local symlink attacks and race conditions when an attacker
manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
before the web server started. Possibly the web server could have been
tricked to use a forged PHP.

The problem lies in the configuration, thus this update will fix the problem
only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
If you did, dpkg will not overwrite your changes. Please make sure to set

"socket" => "/var/run/lighttpd/php.socket"

yourself in that case.

-- Arno T�ll <arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100

lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high

To fix a security vulnerability in the design of the SSL/TLS protocol
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
session renegotiation is no longer supported with old clients that do not
implement this extension. This breaks certain configurations with client
certificate authentication. If you still need to support old clients, you
may restore the old (insecure) behaviour by adding the configuration option

ssl.disable-client-renegotiation = "disable"

to /etc/lighttpd/lighttpd.conf.

-- Thijs Kinkhorst <thijs@debian.org> Thu, 14 Feb 2013 19:42:19 +0100

Regards Jonathan Sander Stensvold Hol.

Last edited by Jonathan Sander; 09-18-2013 at 04:41 PM..

Jonathan Sander

View Public Profile for Jonathan Sander

Find all posts by Jonathan Sander

3 More Discussions You Might Find Interesting

1. News, Links, Events and Announcements

Flaw leaves Linux computers vulnerable

NEWS: Flaw leaves Linux computers vulnerable http://news.com.com/2100-1001-857265.html A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security...

2. Shell Programming and Scripting

ln -s creates symlink in symlink, if [ -f ... ] says file that exists doesn't exist

Hi Forums, I got a little problem, I made a few modifications to the code of the launch script of a testing server(minecraft) and now updating is broken aswell as the automatic directory creation. These Lines somehow create an endless symlink that refers to itself and I don't know how to fix...

3. Debian

Lighttpd problem

Hi please help, sudden problem. (Without modification) My server ~ 3-4 days ago, daily 4-5x timeout problem (slow loading my website). Always the problem occurs every 4 hours!!! (No cronjob) 5500-28000 ms loading time 2-3 minutes and after resolves. 3-4 days before anything about not set the...

LEARN ABOUT NETBSD

dh_systemd_start

DH_SYSTEMD_START(1)						     Debhelper						       DH_SYSTEMD_START(1)

NAME

       dh_systemd_start - start/stop/restart systemd unit files

SYNOPSIS

       dh_systemd_start [debhelperoptions] [--restart-after-upgrade] [--no-stop-on-upgrade] [unitfile...]

DESCRIPTION

       dh_systemd_start is a debhelper program that is responsible for starting/stopping or restarting systemd unit files in case no corresponding
       sysv init script is available.

       As with dh_installinit, the unit file is stopped before upgrades and started afterwards (unless --restart-after-upgrade is specified, in
       which case it will only be restarted after the upgrade).  This logic is not used when there is a corresponding SysV init script because
       invoke-rc.d performs the stop/start/restart in that case.

OPTIONS

       --restart-after-upgrade
	   Do not stop the unit file until after the package upgrade has been completed.  This is the default behaviour in compat 10.

	   In earlier compat levels the default was to stop the unit file in the prerm, and start it again in the postinst.

	   This can be useful for daemons that should not have a possibly long downtime during upgrade. But you should make sure that the daemon
	   will not get confused by the package being upgraded while it's running before using this option.

       --no-restart-after-upgrade
	   Undo a previous --restart-after-upgrade (or the default of compat 10).  If no other options are given, this will cause the service to
	   be stopped in the prerm script and started again in the postinst script.

       -r, --no-stop-on-upgrade, --no-restart-on-upgrade
	   Do not stop service on upgrade.

       --no-start
	   Do not start the unit file after upgrades and after initial installation (the latter is only relevant for services without a
	   corresponding init script).

NOTES

       Note that this command is not idempotent. dh_prep(1) should be called between invocations of this command (with the same arguments).
       Otherwise, it may cause multiple instances of the same text to be added to maintainer scripts.

       Note that dh_systemd_start should be run after dh_installinit so that it can detect corresponding SysV init scripts. The default sequence
       in dh does the right thing, this note is only relevant when you are calling dh_systemd_start manually.

SEE ALSO

       debhelper(7)

AUTHORS

       pkg-systemd-maintainers@lists.alioth.debian.org

11.1.6ubuntu2							    2018-05-10						       DH_SYSTEMD_START(1)