Bug 561340 (CVE-2010-0295) - CVE-2010-0295 lighttpd: Remote DoS (excessive memory use) by handling specially-crafted HTTP request
Summary: CVE-2010-0295 lighttpd: Remote DoS (excessive memory use) by handling special...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0295
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://download.lighttpd.net/lighttpd...
Whiteboard:
Depends On: 562991
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-03 13:28 UTC by Jan Lieskovsky
Modified: 2016-06-10 22:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-10 22:25:54 UTC
Embargoed:


Attachments (Terms of Use)
lighttpd 1.4.26 srpm (770.18 KB, application/x-rpm)
2010-02-22 12:36 UTC, Risto Laanoja
no flags Details

Description Jan Lieskovsky 2010-02-03 13:28:03 UTC
Remotely exploitable denial of service (excessive use of memory)
has been reported and corrected in lighttpd web server. 

From the upstream 'lighttpd_sa_2010_01' advisory:

"If you send the request data very slow (e.g. sleep 0.01 after each byte),
lighttpd will easily use all available memory and die (especially for
parallel requests), allowing a DoS within minutes."

Upstream advisory:
  http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt

Patches:
a, v1.4.x
  http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710
b, v1.5
  http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711 

Credit:
  Li Ming

Upstream ticket (with reproducer):
  http://redmine.lighttpd.net/issues/2147

Comment 1 Jan Lieskovsky 2010-02-03 13:33:43 UTC
This issue affects the latest versions of the lighttpd package,
as shipped with Fedora release of 11 (lighttpd-1.4.23-1.fc11)
and 12 (lighttpd-1.4.23-1.fc12).

This issue affects the latest versions of the lighttpd package,
as shipped with Extra Packages for Enterprise Linux 4 (EPEL-4) 
-- lighttpd-1.4.23-1.el4, and 5 (EPEL-5) -- lighttpd-1.4.23-1.el5
projects.

Please fix.

Comment 3 Risto Laanoja 2010-02-22 12:36:18 UTC
Created attachment 395462 [details]
lighttpd 1.4.26 srpm

Integrates spawn_fcgi-1.6.23

here it is, as-is, please review before distributing.
Tested on Centos 5.latest + EPEL.

Comment 4 Fedora Update System 2010-04-28 09:41:18 UTC
spawn-fcgi-1.6.2-1.el5.1,lighttpd-1.4.26-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/spawn-fcgi-1.6.2-1.el5.1,lighttpd-1.4.26-2.el5

Comment 5 Fedora Update System 2010-04-28 09:41:23 UTC
lighttpd-1.4.26-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc11

Comment 6 Fedora Update System 2010-04-28 09:41:28 UTC
lighttpd-1.4.26-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc12

Comment 7 Fedora Update System 2010-04-28 09:41:32 UTC
spawn-fcgi-1.6.2-1.el4.1,lighttpd-1.4.26-2.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/spawn-fcgi-1.6.2-1.el4.1,lighttpd-1.4.26-2.el4

Comment 8 Fedora Update System 2010-04-28 09:41:36 UTC
lighttpd-1.4.26-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc13

Comment 9 Fedora Update System 2010-05-12 17:54:33 UTC
lighttpd-1.4.26-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-05-12 17:59:33 UTC
lighttpd-1.4.26-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-05-12 18:02:00 UTC
lighttpd-1.4.26-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-05-14 01:05:13 UTC
spawn-fcgi-1.6.2-1.el5.1, lighttpd-1.4.26-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-05-14 01:05:51 UTC
spawn-fcgi-1.6.2-1.el4.1, lighttpd-1.4.26-2.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.