Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. Reference: MLIST:[oss-security] 20080926 CVE Request (lighttpd) Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/26/5 Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=238180 Reference: CONFIRM:http://trac.lighttpd.net/trac/changeset/2305 Reference: CONFIRM:http://trac.lighttpd.net/trac/ticket/1774 Reference: CONFIRM:http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
lighttpd-1.4.20-6.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/lighttpd-1.4.20-6.fc9
lighttpd-1.4.20-6.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/lighttpd-1.4.20-6.fc8
Forgot to close this report. Closing now, as 1.4.22 is being pushed to F-9+.