lighttpd-1.4.32-1.el6 security update
|Release:||Fedora EPEL 6|
|Date Submitted:||2013-08-26 13:33:43|
|Date Released:||2013-08-26 15:41:11|
One important denial of service (in 1.4.31) fix: CVE-2012-5533.
A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.
This flaw was introduced in 1.4.31  when an "invalid read" bug was fixed .
 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/  http://redmine.lighttpd.net/issues/2413
Red Hat would like to thank Stefan Bühler for reporting this issue. Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original reporter.Bugs Fixedbodhi - 2013-08-26 13:34:15This update has been submitted for testing by limb.
bodhi - 2013-08-26 14:40:07This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2013-08-26 16:50:08This update has been pushed to testing
avij - 2013-08-26 17:24:21Works and no longer DoSable.
rheldaemon - 2013-08-27 08:04:34Tested and described problem does not occur anymore. - HTH
nibbler - 2013-09-04 09:09:52Works for me.
bodhi - 2013-09-04 09:09:57This update has reached the stable karma threshold and will be pushed to the stable updates repository
bodhi - 2013-09-04 15:46:24This update is currently being pushed to the Fedora EPEL 6 stable updates repository.
bodhi - 2013-09-04 18:27:30This update has been pushed to stable