CVE-2022-30780: Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers. A rather silly writeup exists, along with an exploit: https://podalirius.net/en/cves/2022-30780/ https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f561442e589e60f79873b3f4db5e9935970ac46 commit 2f561442e589e60f79873b3f4db5e9935970ac46 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-24 01:48:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-24 01:48:52 +0000 www-servers/lighttpd: drop 1.4.55-r102, 1.4.58-r2, 1.4.59-r2 Bug: https://bugs.gentoo.org/851234 Bug: https://bugs.gentoo.org/830691 Bug: https://bugs.gentoo.org/803821 Signed-off-by: Sam James <sam@gentoo.org> www-servers/lighttpd/Manifest | 3 - www-servers/lighttpd/files/conf/lighttpd.conf | 279 --------------------- .../files/lighttpd-1.4.59-nspr-header.patch | 16 -- www-servers/lighttpd/files/lighttpd.initd | 79 ------ www-servers/lighttpd/lighttpd-1.4.55-r102.ebuild | 247 ------------------ www-servers/lighttpd/lighttpd-1.4.58-r2.ebuild | 268 -------------------- www-servers/lighttpd/lighttpd-1.4.59-r2.ebuild | 242 ------------------ www-servers/lighttpd/metadata.xml | 2 - 8 files changed, 1136 deletions(-)
GLSA vote: no.