| Summary: | <www-servers/lighttpd-1.4.25-r1: slow request dos/oom attack (CVE-2010-0295) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | bernd, darkside, www-servers+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Tobias Heinlein (RETIRED)
2010-02-02 13:18:20 UTC
Christian already bumped it, thanks. Arches, please test and mark stable: =www-servers/lighttpd-1.4.25-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Already stabled : "amd64" Missing keywords: "alpha arm hppa ia64 ppc ppc64 sparc x86" Seems to be ok here on x86, all tests passed. ppc64 done *** Bug 301563 has been marked as a duplicate of this bug. *** stable x86, thanks Andreas alpha/arm/ia64/sparc stable Stable for HPPA. Stable for PPC. When can we expect AMD64 to be stable ? (In reply to comment #9) > When can we expect AMD64 to be stable ? > They already are, you may need to --sync again. Keywords: lighttpd-1.4.25-r1: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~mips ~sparc-fbsd ~x86-fbsd CVE-2010-0295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0295): lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. GLSA vote: YES. glsa(!), please?! YES too, request filed. Please note that due to huge workload it will take some time for the GLSA to be written. GLSA 201006-17 |
