lighttpd can be forced to leak memory by sending lots requests with duplicate request headers. Patch is available from the ticket and will be in the VCS in some minutes, lighty-1.4.20, which should include the patch, is supposed to be released in the near future.
By some testing it looks like it takes some time to get lighty use a dangerous amount of memory, but nevertheless it's an issue.
I'll handle bumping/patching.
JFI: CVE request has been sent by lighty upstream to coley directly some days ago already and by bressers from Redhat @ oss-sec as well.
Memory leak in the http_request_parse function in request.c in
lighttpd before 1.4.20 allows remote attackers to cause a denial of
service (memory consumption) via a large number of requests with
duplicate request headers.
www-servers: Apologies for not CC'ing you, I seem to have missed this.
1.4.20 has been released and I just added it to the tree. It fixes two other security problems. The first (mod_userdir-related) does not affect us, as we tracked this in bug 213164. The second is:
(Quoting my mail to oss-sec)
> * Unexpected behavior of url.redirect / url.rewrite config options
> While this is not a security issue in lighttpd, the user might
> rely on the fact, that those options are suppoosed to be matched
> against the urldecoded version of the URL. Depending on the
> configuration, this would allow for unwanted access to certain
> resources (information disclosure or even manipulation of data)
> References:  
Two more references to the memory leak issue are at  and .
Arches, please test and mark stable:
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86
~mips ~sparc-fbsd ~x86-fbsd
Already stable: amd64
To stable: alpha arm hppa ia64 ppc ppc64 sh sparc x86
Short note: FEATURES=test seems to be broken here (not only in .20), I'll try to work on either fixing or restricting (preferably the former). Testing can be done just by running it through the init script and browsing some files (or maybe even setting up a webapp).
Actually adding arches.
>> * Unexpected behavior of url.redirect / url.rewrite config options
> Use CVE-2008-4359, to be filled in later.
>> * Information disclosure w/ mod_userdir on case-insensitive file
> Use CVE-2008-4360, to be filled in later.
(And thanks for fixing my arch CC'ing mess-up, keytoaster ;))
Stable for HPPA.
Ready for vote, I vote YES.
*** Bug 239552 has been marked as a duplicate of this bug. ***
Voting YES, request filed.