Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 41 articles for you...
202
security advisorymoderatedenial of serviceopenSUSE: lighttpd Moderate Security Issue CVE-2025-8671
An update that solves one vulnerability can now be installed.. # lighttpd-1.4.80-1.1 on GA media Announcement ID: openSUSE-SU-2025:15449-1 Rating: moderate Cross-References: * CVE-2025-8671 CVSS scores: * CVE-2025-8671 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-8671 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the lighttpd-1.4.80-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * lighttpd 1.4.80-1.1 * lighttpd-mod_authn_dbi 1.4.80-1.1 * lighttpd-mod_authn_gssapi 1.4.80-1.1 * lighttpd-mod_authn_ldap 1.4.80-1.1 * lighttpd-mod_authn_pam 1.4.80-1.1 * lighttpd-mod_authn_sasl 1.4.80-1.1 * lighttpd-mod_deflate 1.4.80-1.1 * lighttpd-mod_gnutls 1.4.80-1.1 * lighttpd-mod_magnet 1.4.80-1.1 * lighttpd-mod_maxminddb 1.4.80-1.1 * lighttpd-mod_mbedtls 1.4.80-1.1 * lighttpd-mod_nss 1.4.80-1.1 * lighttpd-mod_openssl 1.4.80-1.1 * lighttpd-mod_rrdtool 1.4.80-1.1 * lighttpd-mod_vhostdb_dbi 1.4.80-1.1 * lighttpd-mod_vhostdb_ldap 1.4.80-1.1 * lighttpd-mod_vhostdb_mysql 1.4.80-1.1 * lighttpd-mod_vhostdb_pgsql 1.4.80-1.1 * lighttpd-mod_webdav 1.4.80-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-8671.html . nginx-1.21.3-1.2 patch for Fedora released to address a critical vulnerability associated with CVE-2025-9876.. openSUSE Security, lighttpd update, moderate security alert, software security fix. . LinuxSecurity.com Team
Aug 16, 2025 OpenSUSE 172
security advisorydenial of servicecriticalUbuntu 22.10: USN-5903-1 Critical Lighttpd DoS Issues Report
Several security issues were fixed in lighttpd.. =========================================================================Ubuntu Security Notice USN-5903-1 February 28, 2023 lighttpd vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in lighttpd. Software Description: - lighttpd: fast webserver with minimal memory footprint Details: It was discovered that lighttpd incorrectly handled certain inputs, which could result in a stack buffer overflow. A remote attacker could possibly use this issue to cause a denial of service (DoS). (CVE-2022-22707, CVE-2022-41556) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: lighttpd 1.4.65-2ubuntu1.1 Ubuntu 22.04 LTS: lighttpd 1.4.63-1ubuntu3.1 Ubuntu 20.04 LTS: lighttpd 1.4.55-1ubuntu1.20.04.2 After a standard system update you need to restart lighttpd to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5903-1 CVE-2022-22707, CVE-2022-41556 Package Information: https://launchpad.net/ubuntu/+source/lighttpd/1.4.65-2ubuntu1.1 https://launchpad.net/ubuntu/+source/lighttpd/1.4.63-1ubuntu3.1 https://launchpad.net/ubuntu/+source/lighttpd/1.4.55-1ubuntu1.20.04.2 . Several security patches for lighttpd have addressed vulnerabilities impacting Ubuntu versions 20.04, 22.04, and 22.10.. Ubuntu Lighttpd Security Update, DoS Vulnerability in Lighttpd, Security Fixes. . Severity: Critical. LinuxSecurity.com Team
Feb 28, 2023 •Critical Ubuntu 
91
security advisorydenial of servicegentooGentoo: GLSA-202210-13 Minor Risk Lighttpd Service Interruption
A vulnerability has been discovered in lighttpd which could result in denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Lighttpd: Denial of Service Date: October 31, 2022 Bugs: #869890 ID: 202210-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability has been discovered in lighttpd which could result in denial of service. Background ========= Lighttpd is a lightweight high-performance web server. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/lighttpd < 1.4.67 > = 1.4.67 Description ========== Lighttpd's mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. Impact ===== An attacker can trigger a denial of service via making Lighttpd try to call an uninitialized function pointer. Workaround ========= There is no known workaround at this time. Resolution ========= All lighttpd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/lighttpd-1.4.67" References ========= [ 1 ] CVE-2022-37797 https://nvd.nist.gov/vuln/detail/CVE-2022-37797 [ 2 ] CVE-2022-41556 https://nvd.nist.gov/vuln/detail/CVE-2022-41556 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-12 Concerns? ======== Security is a primaryfocus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Oct 30, 2022 •Low Gentoo 203
security advisorydenial of servicelighttpdMageia 8: 2022-0369 Moderate Advisory on Lighttpd DoS Vulnerability
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. (CVE-2022-37797) . MGASA-2022-0369 - Updated lighttpd packages fix security vulnerability Publication date: 13 Oct 2022 URL: https://advisories.mageia.org/MGASA-2022-0369.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-37797, CVE-2022-41556 In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. (CVE-2022-37797) A resource leak in mod_fastcgi and mod_scgi could lead to a denial of service after a large number of bad HTTP requests. (CVE-2022-41556) References: - https://bugs.mageia.org/show_bug.cgi?id=30912 - https://lists.debian.org/debian-security-announce/2022/msg00212.html - https://www.cve.org/CVERecord?id=CVE-2022-37797 - https://www.cve.org/CVERecord?id=CVE-2022-41556 SRPMS: - 8/core/lighttpd-1.4.59-1.2.mga8 . Mageia 8 nginx security patch addresses buffer overflow vulnerabilities, preventing potential service interruptions and memory management issues.. lighttpd Update, Mageia Security, Denial Of Service Fix. . LinuxSecurity.com Team
Oct 13, 2022 Mageia 89
security advisorydenial of servicehigh severityFedora 35: FEDORA-2022-c26b19568d High Severity Lighttpd DoS Issue
1.4.67. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-c26b19568d 2022-10-05 13:49:40.470430 --------------------------------------------------------------------------------Name : lighttpd Product : Fedora 35 Version : 1.4.67 Release : 1.fc35 URL : http://www.lighttpd.net/ Summary : Lightning fast webserver with light system requirements Description : lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large. --------------------------------------------------------------------------------Update Information: 1.4.67 --------------------------------------------------------------------------------ChangeLog: * Mon Sep 19 2022 Gwyn Ciesla - 1.4.67-1 - 1.4.67 --------------------------------------------------------------------------------References: [ 1 ] Bug #2130967 - CVE-2022-41556 lighttpd: resource leak can lead to denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2130967 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-c26b19568d' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 05, 2022 Fedora 202
security advisorymoderatesecurity issueopenSUSE: 2022:10140-1 Moderate: Lighttpd Security Issue
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for lighttpd ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10140-1 Rating: moderate References: #1203872 Cross-References: CVE-2022-41556 CVSS scores: CVE-2022-41556 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for lighttpd fixes the following issues: lighttpd was updated to 1.4.67: * Update comment about TCP_INFO on OpenBSD * [mod_ajp13] fix crash with bad response headers (fixes #3170) * [core] handle RDHUP when collecting chunked body CVE-2022-41556 (boo#1203872) * [core] tweak streaming request body to backends * [core] handle ENOSPC with pwritev() (#3171) * [core] manually calculate off_t max (fixes #3171) * [autoconf] force large file support (#3171) * [multiple] quiet coverity warnings using casts * [meson] add license keyword to project declaration Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10140=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10140=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): lighttpd-1.4.67-bp154.2.6.1 lighttpd-debuginfo-1.4.67-bp154.2.6.1 lighttpd-debugsource-1.4.67-bp154.2.6.1 lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 lighttpd-mod_authn_gssapi-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 lighttpd-mod_authn_ldap-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 lighttpd-mod_authn_pam-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 lighttpd-mod_authn_sasl-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_magnet-1.4.67-bp154.2.6.1 lighttpd-mod_magnet-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 lighttpd-mod_maxminddb-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 lighttpd-mod_rrdtool-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_dbi-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_ldap-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_mysql-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_pgsql-debuginfo-1.4.67-bp154.2.6.1 lighttpd-mod_webdav-1.4.67-bp154.2.6.1 lighttpd-mod_webdav-debuginfo-1.4.67-bp154.2.6.1 - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): lighttpd-1.4.67-bp153.2.12.1 lighttpd-mod_authn_gssapi-1.4.67-bp153.2.12.1 lighttpd-mod_authn_ldap-1.4.67-bp153.2.12.1 lighttpd-mod_authn_pam-1.4.67-bp153.2.12.1 lighttpd-mod_authn_sasl-1.4.67-bp153.2.12.1 lighttpd-mod_magnet-1.4.67-bp153.2.12.1 lighttpd-mod_maxminddb-1.4.67-bp153.2.12.1 lighttpd-mod_rrdtool-1.4.67-bp153.2.12.1 lighttpd-mod_vhostdb_dbi-1.4.67-bp153.2.12.1 lighttpd-mod_vhostdb_ldap-1.4.67-bp153.2.12.1 lighttpd-mod_vhostdb_mysql-1.4.67-bp153.2.12.1 lighttpd-mod_vhostdb_pgsql-1.4.67-bp153.2.12.1 lighttpd-mod_webdav-1.4.67-bp153.2.12.1 References: https://www.suse.com/security/cve/CVE-2022-41556.html https://bugzilla.suse.com/1203872 . A notable update for openSUSE concerning security in lighttpd tackles a medium-level vulnerability to bolster overall system safety.. openSUSE Update, Lighttpd Patch, Security Issue Resolution, Moderate Threat Fix. . LinuxSecurity.com Team
Oct 03, 2022 OpenSUSE 197
security advisorycriticaldebianDebian 10: DLA-3133-1 Critical Lighttpd NULL Pointer Dereference
An invalid HTTP request (websocket handshake) may cause a NULL pointer dereference in the wstunnel module. For Debian 10 buster, this problem has been fixed in version . ------------------------------------------------------------------------- Debian LTS Advisory DLA-3133-1
Oct 03, 2022 •Critical Debian LTS 202
security advisorysecurity issueDoSopenSUSE Backports SLE-15-SP3/4: 2022:10132-1 Moderate: Lighttpd DoS
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for lighttpd ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10132-1 Rating: moderate References: #1203358 Cross-References: CVE-2022-37797 CVSS scores: CVE-2022-37797 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-37797 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for lighttpd fixes the following issues: lighttpd was updated to 1.4.66: * a number of bug fixes * Fix HTTP/2 downloads > = 4GiB * Fix SIGUSR1 graceful restart with TLS * futher bug fixes * CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358) * In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. ???CipherString??? => ???EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384???, ???Options??? => ???-ServerPreference??? old defaults: ???CipherString??? => ???HIGH???, ???Options??? => ???ServerPreference??? * A number of TLS options are how deprecated and will be removed in a future release: ??? ssl.honor-cipher-order ??? ssl.dh-file ??? ssl.ec-curve ??? ssl.disable-client-renegotiation ??? ssl.use-sslv2 ??? ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be prefered * A number of modules are now deprecated and will be removed in a future release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack can be replaced by mod_magnet and a few lines of lua. update to 1.4.65: * WebSockets over HTTP/2 * RFC 8441 Bootstrapping WebSockets with HTTP/2 * HTTP/2 PRIORITY_UPDATE * RFC 9218 Extensible Prioritization Scheme for HTTP * prefix/suffix conditions in lighttpd.conf * mod_webdav safe partial-PUT * webdav.opts += (???partial-put-copy-modify??? => ???enable???) * mod_accesslog option: accesslog.escaping = ???json??? * mod_deflate libdeflate build option * speed up request body uploads via HTTP/2 * Behavior Changes * change default server.max-keep-alive-requests = 1000 to adjust * to increasing HTTP/2 usage and to web2/web3 application usage * (prior default was 100) * mod_status HTML now includes HTTP/2 control stream id 0 in the output * which contains aggregate counts for the HTTP/2 connection * (These lines can be identified with URL ???*???, part of ???PRI *??? preface) * alternative: https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples#lua-mod_status * MIME type application/javascript is translated to text/javascript (RFC 9239) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10132=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10132=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): lighttpd-1.4.66-bp154.2.3.1 lighttpd-debuginfo-1.4.66-bp154.2.3.1 lighttpd-debugsource-1.4.66-bp154.2.3.1 lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1 lighttpd-mod_authn_gssapi-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1 lighttpd-mod_authn_ldap-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1 lighttpd-mod_authn_pam-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1 lighttpd-mod_authn_sasl-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_magnet-1.4.66-bp154.2.3.1 lighttpd-mod_magnet-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1 lighttpd-mod_maxminddb-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1 lighttpd-mod_rrdtool-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_dbi-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_ldap-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_mysql-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_pgsql-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_webdav-1.4.66-bp154.2.3.1 lighttpd-mod_webdav-debuginfo-1.4.66-bp154.2.3.1 - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): lighttpd-1.4.66-bp153.2.9.1 lighttpd-mod_authn_gssapi-1.4.66-bp153.2.9.1 lighttpd-mod_authn_ldap-1.4.66-bp153.2.9.1 lighttpd-mod_authn_pam-1.4.66-bp153.2.9.1 lighttpd-mod_authn_sasl-1.4.66-bp153.2.9.1 lighttpd-mod_magnet-1.4.66-bp153.2.9.1 lighttpd-mod_maxminddb-1.4.66-bp153.2.9.1 lighttpd-mod_rrdtool-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_dbi-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_ldap-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_mysql-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_pgsql-1.4.66-bp153.2.9.1 lighttpd-mod_webdav-1.4.66-bp153.2.9.1 References: https://www.suse.com/security/cve/CVE-2022-37797.html https://bugzilla.suse.com/1203358 . New update released for lighttpd that resolves a moderate severity vulnerability which could cause system instability. Use zypper to install the update.. openSUSE Backports, lighttpd update, security patch. .LinuxSecurity.com Team
Sep 29, 2022 OpenSUSE 
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!