Summary: | <www-servers/lighttpd-1.4.67: DoS via uninitialized function pointer | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://redmine.lighttpd.net/issues/3165 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 855146, 873064 | ||
Bug Blocks: |
Description
John Helmert III
2022-09-12 18:25:37 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34695b742edb316871d6148030da940b45182ebf commit 34695b742edb316871d6148030da940b45182ebf Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-19 02:24:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-19 02:25:00 +0000 www-servers/lighttpd: add 1.4.67 Bug: https://bugs.gentoo.org/869890 Closes: https://bugs.gentoo.org/855146 Signed-off-by: Sam James <sam@gentoo.org> www-servers/lighttpd/Manifest | 1 + www-servers/lighttpd/lighttpd-1.4.67.ebuild | 237 ++++++++++++++++++++++++++++ 2 files changed, 238 insertions(+) Note that in the bump, I also ported to Meson, so I wouldn't stable too quickly. CVE-2022-41556 (https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50): A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=415f7077d34890d4693b4b8c1aaf024961b29620 commit 415f7077d34890d4693b4b8c1aaf024961b29620 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-21 17:58:30 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-21 17:58:30 +0000 www-servers/lighttpd: drop 1.4.64-r1 Bug: https://bugs.gentoo.org/869890 Signed-off-by: John Helmert III <ajak@gentoo.org> www-servers/lighttpd/Manifest | 1 - www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild | 237 ------------------------- 2 files changed, 238 deletions(-) GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=57d24f954d7b5db2ffb4dcde78429e76722d5387 commit 57d24f954d7b5db2ffb4dcde78429e76722d5387 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:09:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:14 +0000 [ GLSA 202210-12 ] Lighttpd: Denial of Service Bug: https://bugs.gentoo.org/869890 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-12.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) GLSA released, all done! |