Mageia 8: 2022-0369 Moderate Advisory on Lighttpd DoS Vulnerability
mageia
October 13, 2022
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received
Summary
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function
pointer if an invalid HTTP request (websocket handshake) is received. It
leads to null pointer dereference which crashes the server. It could be
used by an external attacker to cause denial of service condition.
(CVE-2022-37797)
A resource leak in mod_fastcgi and mod_scgi could lead to a denial of
service after a large number of bad HTTP requests. (CVE-2022-41556)
References
- https://bugs.mageia.org/show_bug.cgi?id=30912
- https://lists.debian.org/debian-security-announce/2022/msg00212.html
- https://www.cve.org/CVERecord?id=CVE-2022-37797
- https://www.cve.org/CVERecord?id=CVE-2022-41556
Topics Covered
Resolution
SRPMS
- 8/core/lighttpd-1.4.59-1.2.mga8
PREVIOUS
NEXT
Publication date: 13 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0369.html
Type: security
CVE: CVE-2022-37797,
CVE-2022-41556
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!