Debian: DSA-1987-1 Critical: Lighttpd DoS Memory Handling Issue
debian
February 2, 2010
Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling
Topics Covered
Summary
Li Ming discovered that lighttpd, a small and fast webserver with minimal
memory footprint, is vulnerable to a denial of service attack due to bad
memory handling. Slowly sending very small chunks of request data causes
lighttpd to allocate new buffers for each read instead of appending to
old ones. An attacker can abuse this behaviour to cause denial of service
conditions due to memory exhaustion.
For the oldstable distribution (etch), this problem has been fixed in
version 1.4.13-4etch12.
For the stable distribution (lenny), this problem has been fixed in
version 1.4.19-5+lenny1.
For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.
We recommend that you upgrade your lighttpd packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the int...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: lighttpd
CVE ID: CVE-2010-0295
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!