lighttpd-1.4.32-1.el5 security update
|Release:||Fedora EPEL 5|
|Date Submitted:||2013-08-26 13:34:37|
|Date Released:||2013-08-26 15:41:06|
One important denial of service (in 1.4.31) fix: CVE-2012-5533.
A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.
This flaw was introduced in 1.4.31  when an "invalid read" bug was fixed .
 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/  http://redmine.lighttpd.net/issues/2413
Red Hat would like to thank Stefan Bühler for reporting this issue. Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original reporter.Bugs Fixedbodhi - 2013-08-26 13:34:52This update has been submitted for testing by limb.
bodhi - 2013-08-26 14:40:08This update is currently being pushed to the Fedora EPEL 5 testing updates repository.
bodhi - 2013-08-26 16:49:26This update has been pushed to testing
avij - 2013-08-26 17:27:42Works and no longer DoSable.
bodhi - 2013-09-09 22:03:28This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-09-10 11:52:07This update has been submitted for stable by limb.
bodhi - 2013-09-10 15:35:22This update is currently being pushed to the Fedora EPEL 5 stable updates repository.
bodhi - 2013-09-10 17:39:28This update has been pushed to stable