Bug 878213 (CVE-2012-5533)
Summary: | CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | gwync, jlieskov, mail, rhbugs, security-response-team, wilmer | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | lighttpd 1.4.32 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-03-02 13:49:00 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 878914, 878915 | ||||||||
Bug Blocks: | 878215 | ||||||||
Attachments: |
|
Description
Vincent Danen
2012-11-19 21:05:02 UTC
Created attachment 648125 [details]
upstream patch to correct the flaw
Note that because lighttpd does not use threads, this would cause the daemon to fully be unresponsive to requests and peg the CPU core it is using to full or near-full utilization. Public via: http://www.openwall.com/lists/oss-security/2012/11/21/1 Other references: http://www.lighttpd.net/2012/11/21/1-4-32/ http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt Created lighttpd tracking bugs for this issue Affects: fedora-all [bug 878914] Affects: epel-all [bug 878915] Anything happening here? I do not see that the Fedora maintainers have proceeded with this. I'll ping on the tracking bugs to see if that maybe reminds them. Any progress with this bug? Created attachment 784918 [details] CVE-2012-5533 lighttpd apply patch SRPMS version that I compile a few months ago and currently in production. The previous comment on this bug is for informational and documentation purposes only. However, someone may want to review it, and close it if it no longer needs Status=New. |