Lucene search

K
gentooGentoo FoundationGLSA-200705-07
HistoryMay 07, 2007 - 12:00 a.m.

Lighttpd: Two Denials of Service

2007-05-0700:00:00
Gentoo Foundation
security.gentoo.org
16

7.8 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.222 Low

EPSS

Percentile

96.5%

Background

Lighttpd is a lightweight HTTP web server.

Description

Robert Jakabosky discovered an infinite loop triggered by a connection abort when Lighttpd processes carriage return and line feed sequences. Marcus Rueckert discovered a NULL pointer dereference when a server running Lighttpd tries to access a file with a mtime of 0.

Impact

A remote attacker could upload a specially crafted file to the server or send a specially crafted request and then abort the connection, possibly resulting in a crash or a Denial of Service by CPU consumption.

Workaround

There is no known workaround at this time.

Resolution

All Lighttpd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.14"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-servers/lighttpd< 1.4.14UNKNOWN

7.8 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.222 Low

EPSS

Percentile

96.5%