news 28 Posted August 3, 2016 Package : lighttpd Version : 1.4.31-4+deb7u5 CVE ID : CVE-2016-1000212 Debian Bug : 832571 Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTP_PROXY environment variables. This could be used to carry out Man in the Middle Attacks (MIDM) or create connections to arbitrary hosts. For Debian 7 "Wheezy", this issue has been fixed in version 1.4.31-4+deb7u5. We recommend that you upgrade your lighttpd packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Share this post Link to post
