Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303213 (CVE-2010-0295) - <www-servers/lighttpd-1.4.25-r1: slow request dos/oom attack (CVE-2010-0295)
Summary: <www-servers/lighttpd-1.4.25-r1: slow request dos/oom attack (CVE-2010-0295)
Status: RESOLVED FIXED
Alias: CVE-2010-0295
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://download.lighttpd.net/lighttpd...
Whiteboard: B3 [glsa]
Keywords:
: 301563 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-02-02 13:18 UTC by Tobias Heinlein (RETIRED)
Modified: 2010-06-03 14:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2010-02-02 13:18:20 UTC 
See $URL.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-02 13:20:15 UTC 
Christian already bumped it, thanks.

Arches, please test and mark stable:
=www-servers/lighttpd-1.4.25-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Already stabled : "amd64"
Missing keywords: "alpha arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Andreas Schürch gentoo-dev 2010-02-02 16:33:02 UTC 
Seems to be ok here on x86, all tests passed.
Comment 3 Brent Baude (RETIRED) gentoo-dev 2010-02-02 19:11:56 UTC 
ppc64 done
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-02-02 22:01:22 UTC 
*** Bug 301563 has been marked as a duplicate of this bug. ***
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-03 09:40:06 UTC 
stable x86, thanks Andreas
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-02-03 20:45:23 UTC 
alpha/arm/ia64/sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-03 23:41:02 UTC 
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-04 00:06:14 UTC 
Stable for PPC.
Comment 9 Bernd Marienfeldt 2010-02-09 21:17:21 UTC 
When can we expect AMD64 to be stable ?
Comment 10 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-02-09 21:21:56 UTC 
(In reply to comment #9)
> When can we expect AMD64 to be stable ? 
> 

They already are, you may need to --sync again.

Keywords: lighttpd-1.4.25-r1: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~mips ~sparc-fbsd ~x86-fbsd
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 11:48:27 UTC 
CVE-2010-0295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0295):
  lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read
  operation that occurs for a request, which allows remote attackers to
  cause a denial of service (memory consumption) by breaking a request
  into small pieces that are sent at a slow rate.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:49:23 UTC 
GLSA vote: YES.
Comment 13 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2010-03-14 21:32:10 UTC 
glsa(!), please?!
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-15 14:20:31 UTC 
YES too, request filed.

Please note that due to huge workload it will take some time for the GLSA to be written.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-03 14:16:28 UTC 
GLSA 201006-17