Lighttpd: Two Denials of Service
Gentoo Linux Security Advisory
||GLSA 200705-07 / lighttpd
||May 07, 2007
||May 07, 2007: 01
All supported architectures
Two vulnerabilities have been discovered in Lighttpd, each allowing for a
Denial of Service.
Lighttpd is a lightweight HTTP web server.
Robert Jakabosky discovered an infinite loop triggered by a connection
abort when Lighttpd processes carriage return and line feed sequences.
Marcus Rueckert discovered a NULL pointer dereference when a server
running Lighttpd tries to access a file with a mtime of 0.
A remote attacker could upload a specially crafted file to the server
or send a specially crafted request and then abort the connection,
possibly resulting in a crash or a Denial of Service by CPU
There is no known workaround at this time.
All Lighttpd users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.14"