Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 303213 (CVE-2010-0295)

Summary: <www-servers/lighttpd-1.4.25-r1: slow request dos/oom attack (CVE-2010-0295)
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bernd, darkside, www-servers+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Tobias Heinlein (RETIRED) gentoo-dev 2010-02-02 13:18:20 UTC
See $URL.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-02 13:20:15 UTC
Christian already bumped it, thanks.

Arches, please test and mark stable:
=www-servers/lighttpd-1.4.25-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Already stabled : "amd64"
Missing keywords: "alpha arm hppa ia64 ppc ppc64 sparc x86"

Comment 2 Andreas Schürch gentoo-dev 2010-02-02 16:33:02 UTC
Seems to be ok here on x86, all tests passed.
Comment 3 Brent Baude (RETIRED) gentoo-dev 2010-02-02 19:11:56 UTC
ppc64 done
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-02-02 22:01:22 UTC
*** Bug 301563 has been marked as a duplicate of this bug. ***
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-03 09:40:06 UTC
stable x86, thanks Andreas
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-02-03 20:45:23 UTC
alpha/arm/ia64/sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-03 23:41:02 UTC
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-04 00:06:14 UTC
Stable for PPC.
Comment 9 Bernd Marienfeldt 2010-02-09 21:17:21 UTC
When can we expect AMD64 to be stable ? 
Comment 10 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-02-09 21:21:56 UTC
(In reply to comment #9)
> When can we expect AMD64 to be stable ? 
> 

They already are, you may need to --sync again.

Keywords: lighttpd-1.4.25-r1: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~mips ~sparc-fbsd ~x86-fbsd
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-04 11:48:27 UTC
CVE-2010-0295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0295):
  lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read
  operation that occurs for a request, which allows remote attackers to
  cause a denial of service (memory consumption) by breaking a request
  into small pieces that are sent at a slow rate.

Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:49:23 UTC
GLSA vote: YES.
Comment 13 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2010-03-14 21:32:10 UTC
glsa(!), please?!
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-15 14:20:31 UTC
YES too, request filed.

Please note that due to huge workload it will take some time for the GLSA to be written.
Comment 15 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-03 14:16:28 UTC
GLSA 201006-17