lighttpd - multiple DOS issues

2008-07-1500:00:00

Google

osv.dev

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2008-0983
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not
properly calculate the size of a file descriptor array, which allows
remote attackers to cause a denial of service (crash) via a large number
of connections, which triggers an out-of-bounds access.
CVE-2007-3948
connections.c in lighttpd before 1.4.16 might accept more connections
than the configured maximum, which allows remote attackers to cause a
denial of service (failed assertion) via a large number of connection
attempts.

For the stable distribution (etch), these problems have been fixed in
version 1.4.13-4etch9.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.18-2.

We recommend that you upgrade your lighttpd package.

CPENameOperatorVersion
lighttpdeq1.4.13-4etch1
lighttpdeq1.4.13-4etch8
lighttpdeq1.4.13-4etch7
lighttpdeq1.4.13-4
lighttpdeq1.4.13-4etch5
lighttpdeq1.4.13-4etch3
lighttpdeq1.4.13-4etch6
lighttpdeq1.4.13-4etch2
lighttpdeq1.4.13-4etch4

Name	Operator	Version
lighttpd	eq	1.4.13-4etch1
lighttpd	eq	1.4.13-4etch8
lighttpd	eq	1.4.13-4etch7
lighttpd	eq	1.4.13-4
lighttpd	eq	1.4.13-4etch5
lighttpd	eq	1.4.13-4etch3
lighttpd	eq	1.4.13-4etch6
lighttpd	eq	1.4.13-4etch2
lighttpd	eq	1.4.13-4etch4