Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 851234 (CVE-2022-30780) - <www-servers/lighttpd-1.4.59: DoS due to typo in connection handling
Summary: <www-servers/lighttpd-1.4.59: DoS due to typo in connection handling
Alias: CVE-2022-30780
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2022-06-11 17:04 UTC by John Helmert III
Modified: 2022-07-24 01:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-11 17:04:21 UTC

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

A rather silly writeup exists, along with an exploit:
Comment 1 Larry the Git Cow gentoo-dev 2022-07-24 01:49:00 UTC
The bug has been referenced in the following commit(s):

commit 2f561442e589e60f79873b3f4db5e9935970ac46
Author:     Sam James <>
AuthorDate: 2022-07-24 01:48:23 +0000
Commit:     Sam James <>
CommitDate: 2022-07-24 01:48:52 +0000

    www-servers/lighttpd: drop 1.4.55-r102, 1.4.58-r2, 1.4.59-r2
    Signed-off-by: Sam James <>

 www-servers/lighttpd/Manifest                      |   3 -
 www-servers/lighttpd/files/conf/lighttpd.conf      | 279 ---------------------
 .../files/lighttpd-1.4.59-nspr-header.patch        |  16 --
 www-servers/lighttpd/files/lighttpd.initd          |  79 ------
 www-servers/lighttpd/lighttpd-1.4.55-r102.ebuild   | 247 ------------------
 www-servers/lighttpd/lighttpd-1.4.58-r2.ebuild     | 268 --------------------
 www-servers/lighttpd/lighttpd-1.4.59-r2.ebuild     | 242 ------------------
 www-servers/lighttpd/metadata.xml                  |   2 -
 8 files changed, 1136 deletions(-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-24 01:50:05 UTC
GLSA vote: no.