stable
FEDORA-EPEL-2013-11336 created by limb 9 years ago for Fedora EPEL 5

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.

This flaw was introduced in 1.4.31 [1] when an "invalid read" bug was fixed [2].

[1] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/ [2] http://redmine.lighttpd.net/issues/2413

Acknowledgement:

Red Hat would like to thank Stefan B├╝hler for reporting this issue. Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original reporter.

This update has been submitted for testing by limb.

9 years ago

This update is currently being pushed to the Fedora EPEL 5 testing updates repository.

9 years ago

This update has been pushed to testing

9 years ago
User Icon avij commented & provided feedback 9 years ago
karma

Works and no longer DoSable.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

9 years ago

This update has been submitted for stable by limb.

9 years ago

This update is currently being pushed to the Fedora EPEL 5 stable updates repository.

9 years ago

This update has been pushed to stable

9 years ago

Please login to add feedback.

Metadata
Type
security
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
9 years ago
in testing
9 years ago
in stable
9 years ago
BZ#878914 CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers [fedora-all]
0
0
BZ#878915 CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers [epel-all]
0
0

Automated Test Results