Bug 464637 - (CVE-2008-4298) CVE-2008-4298 lighttpd: memory leak http_request_parse() in request.c
CVE-2008-4298 lighttpd: memory leak http_request_parse() in request.c
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
impact=important,source=gentoo,report...
: Security
Depends On: 464638 464639 464640 464641
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-29 15:15 EDT by Josh Bressers
Modified: 2016-03-04 07:43 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-09 13:45:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2008-09-29 15:15:40 EDT
Memory leak in the http_request_parse function in request.c in
lighttpd before 1.4.20 allows remote attackers to cause a denial of
service (memory consumption) via a large number of requests with
duplicate request headers.

Reference: MLIST:[oss-security] 20080926 CVE Request (lighttpd)
Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/26/5
Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=238180
Reference: CONFIRM:http://trac.lighttpd.net/trac/changeset/2305
Reference: CONFIRM:http://trac.lighttpd.net/trac/ticket/1774
Reference: CONFIRM:http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
Comment 2 Fedora Update System 2008-12-26 09:15:45 EST
lighttpd-1.4.20-6.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/lighttpd-1.4.20-6.fc9
Comment 3 Fedora Update System 2008-12-26 09:17:04 EST
lighttpd-1.4.20-6.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/lighttpd-1.4.20-6.fc8
Comment 4 Matthias Saou 2009-04-09 13:45:26 EDT
Forgot to close this report. Closing now, as 1.4.22 is being pushed to F-9+.

Note You need to log in before you can comment on or make changes to this bug.