Site Navigation:
security lighttpd-1.4.32-1.fc19 security update
Status:stable
Release: Fedora 19
Update ID: FEDORA-2013-15345
Builds: lighttpd-1.4.32-1.fc19 (logs)
Pushed: True
Date Submitted: 2013-08-26 13:34:16
Date Released: 2013-08-26 21:11:40
Submitter: limb
Karma: 2
Stable karma: 3
Unstable karma: -3
Details

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.

This flaw was introduced in 1.4.31 [1] when an "invalid read" bug was fixed [2].

[1] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/ [2] http://redmine.lighttpd.net/issues/2413

Acknowledgement:

Red Hat would like to thank Stefan Bühler for reporting this issue. Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original reporter.

Bugs Fixed
878915 - CVE-2012-5533: lighttpd: Denial of Service via malformed Connection headers [epel-all]
878914 - CVE-2012-5533: lighttpd: Denial of Service via malformed Connection headers [fedora-all]
Feedback
bodhi - 2013-08-26 13:34:36
This update has been submitted for testing by limb.
bodhi - 2013-08-26 15:06:11
This update is currently being pushed to the Fedora 19 testing updates repository.
bodhi - 2013-08-26 22:32:35
This update has been pushed to testing
avij - 2013-08-27 06:41:30
A quick test in a virtual machine showed that the upgrade worked and the new version was no longer DoSable.
patches (proventesters) - 2013-08-29 11:59:28
no regressions noted
bodhi - 2013-09-03 10:07:08
This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes
bodhi - 2013-09-03 12:22:49
This update has been submitted for stable by limb.
bodhi - 2013-09-03 15:26:36
This update is currently being pushed to the Fedora 19 stable updates repository.
bodhi - 2013-09-03 22:31:27
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters