Site Navigation:
security lighttpd-1.4.32-1.el5 security update
Status:stable
Release: Fedora EPEL 5
Update ID: FEDORA-EPEL-2013-11336
Builds: lighttpd-1.4.32-1.el5 (logs)
Pushed: True
Date Submitted: 2013-08-26 13:34:37
Date Released: 2013-08-26 15:41:06
Submitter: limb
Karma: 1
Stable karma: 3
Unstable karma: -3
Details

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.

This flaw was introduced in 1.4.31 [1] when an "invalid read" bug was fixed [2].

[1] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/ [2] http://redmine.lighttpd.net/issues/2413

Acknowledgement:

Red Hat would like to thank Stefan Bühler for reporting this issue. Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original reporter.

Bugs Fixed
878915 - CVE-2012-5533: lighttpd: Denial of Service via malformed Connection headers [epel-all]
878914 - CVE-2012-5533: lighttpd: Denial of Service via malformed Connection headers [fedora-all]
Feedback
bodhi - 2013-08-26 13:34:52
This update has been submitted for testing by limb.
bodhi - 2013-08-26 14:40:08
This update is currently being pushed to the Fedora EPEL 5 testing updates repository.
bodhi - 2013-08-26 16:49:26
This update has been pushed to testing
avij - 2013-08-26 17:27:42
Works and no longer DoSable.
bodhi - 2013-09-09 22:03:28
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-09-10 11:52:07
This update has been submitted for stable by limb.
bodhi - 2013-09-10 15:35:22
This update is currently being pushed to the Fedora EPEL 5 stable updates repository.
bodhi - 2013-09-10 17:39:28
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters