There are multiple security issues which will be fixed with the upcoming lighttpd-1.4.16 (pre-release scheduled for this evening): * crash on duplicate headers with trailing WS (DoS) details: http://trac.lighttpd.net/trac/ticket/1232 fix: http://trac.lighttpd.net/trac/changeset/1869?format=diff&new=1869 (http://trac.lighttpd.net/trac/changeset/1869) * - crash with md5-sess and cnonce not set in mod_auth (DoS) - missing check for base64 encoded string in mod_auth and Basic auth - possible crash in Auth-Digest header parser on trailing WS in mod_auth (DoS) fixes: http://trac.lighttpd.net/trac/changeset/1875?format=diff&new=1875 (http://trac.lighttpd.net/trac/changeset/1875) * accepting more connections then requested (DoS?) details: http://trac.lighttpd.net/trac/ticket/1216 fix: http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873 (http://trac.lighttpd.net/trac/changeset/1873) * circumventing url.access-deny by trailing slash (information disclosure) details: http://trac.lighttpd.net/trac/ticket/1230 fix: http://trac.lighttpd.net/trac/changeset/1871?format=diff&new=1871 (http://trac.lighttpd.net/trac/changeset/1871)
Thx for the info. We're already tracking this on bug #185442 that will soon be made public. *** This bug has been marked as a duplicate of bug 185442 ***