Summary: | <www-servers/lighttpd-1.4.32 : HTTP Header Processing Denial of Service Vulnerability (CVE-2012-5533) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hwoarang, mr20.gentoo, wired |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-11-21 16:35:17 UTC
Ebuild in portage. Please test with various use flag combinations (In reply to comment #1) > Ebuild in portage. Please test with various use flag combinations http://bpaste.net/raw/59688/ should be enough. Arches, please test and mark stable: =www-servers/lighttpd-1.4.32 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" (In reply to comment #2) > (In reply to comment #1) > > Ebuild in portage. Please test with various use flag combinations > > http://bpaste.net/raw/59688/ should be enough. > > > Arches, please test and mark stable: > =www-servers/lighttpd-1.4.32 > Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" I asked you multiple times to not use online paste services as they may not be available in the future (or when are teams get around to handle this bug) (In reply to comment #3) > I asked you multiple times to not use online paste services as they may not > be available in the future (or when are teams get around to handle this bug) This paste will never be useful in the future, is just to say it passed multiple compile test amd64 stable Stable for HPPA. (In reply to comment #4) > (In reply to comment #3) > > I asked you multiple times to not use online paste services as they may not > > be available in the future (or when are teams get around to handle this bug) > > This paste will never be useful in the future, is just to say it passed > multiple compile test "You should never use URL to point to pastebins for error messages, logs, emerge --info output, screenshots or similar information. Instead, these should always be attached to the bug." http://www.gentoo.org/doc/en/bugzilla-howto.xml stable ppc ppc64 x86 ok. emerge, test and run successfully. repoman complains about file.size of lighttpd-1.4.29-mod_uploadprogress.patch my use-flags: bzip2 gdbm pcre rrdtool ssl {test} webdav zlib -doc -fam -ipv6 -kerberos -ldap -libev -lua -memcache -minimal -mmap -mysql -php (-selinux) -uploadprogress -xattr stable arm alpha/ia64/sh/sparc/x86 stable Thanks, everyone. GLSA vote: yes. CVE-2012-5533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5533): The http_request_split_value function in request.c in lighttpd 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. Vote: yes. GLSA request filed. This issue was resolved and addressed in GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml by GLSA coordinator Sergey Popov (pinkbyte). |