Vulnerable to symlink attack notice while trying to upgrade lighttpd.
I got this while I tried to upgrade my server and have been unable to find any explanations for what I could do while I have searched after an solution. I were an bit uncertain about how to search for an answer and have tried with some searches that I think should have been good enough as well with searches much like "symlink attack", "forged php attack". I can not understand that I could have modified the file /etc/lighttpd/conf-available/15-fastcgi-php.conf and have therefore not changed the file by setting the "socket" => "/var/run/lighttpd/php.socket". Could someone please tell me how to fix this issue that seem to appear each time my upgrade are about to deal with the lighttpd package.
The default Debian configuration file for PHP invoked from FastCGI was
vulnerable to local symlink attacks and race conditions when an attacker
manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
before the web server started. Possibly the web server could have been
tricked to use a forged PHP.
The problem lies in the configuration, thus this update will fix the problem
only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
If you did, dpkg will not overwrite your changes. Please make sure to set
"socket" => "/var/run/lighttpd/php.socket"
yourself in that case.
-- Arno Töll <email@example.com> Thu, 14 Mar 2013 01:57:42 +0100
To fix a security vulnerability in the design of the SSL/TLS protocol
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
session renegotiation is no longer supported with old clients that do not
implement this extension. This breaks certain configurations with client
certificate authentication. If you still need to support old clients, you
may restore the old (insecure) behaviour by adding the configuration option
ssl.disable-client-renegotiation = "disable"
-- Thijs Kinkhorst <firstname.lastname@example.org> Thu, 14 Feb 2013 19:42:19 +0100
Regards Jonathan Sander Stensvold Hol.
Last edited by Jonathan Sander; 09-18-2013 at 04:41 PM..
I removed the package lighttpd by
, did not remove any directories, and reinstalled the package again with
, which functioned very well. I were able to upgrade the rest of the server software this way, thank you very much!
Hi please help, sudden problem. (Without modification)
My server ~ 3-4 days ago, daily 4-5x timeout problem (slow loading my website).
Always the problem occurs every 4 hours!!! (No cronjob)
5500-28000 ms loading time 2-3 minutes and after resolves.
3-4 days before anything about not set the... (10 Replies)
I got a little problem, I made a few modifications to the code of the launch script of a testing server(minecraft) and now updating is broken aswell as the automatic directory creation.
These Lines somehow create an endless symlink that refers to itself and I don't know how to fix... (0 Replies)
Flaw leaves Linux computers vulnerable
A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security... (3 Replies)