Remotely exploitable denial of service (excessive use of memory) has been reported and corrected in lighttpd web server. From the upstream 'lighttpd_sa_2010_01' advisory: "If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes." Upstream advisory: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt Patches: a, v1.4.x http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710 b, v1.5 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711 Credit: Li Ming Upstream ticket (with reproducer): http://redmine.lighttpd.net/issues/2147
This issue affects the latest versions of the lighttpd package, as shipped with Fedora release of 11 (lighttpd-1.4.23-1.fc11) and 12 (lighttpd-1.4.23-1.fc12). This issue affects the latest versions of the lighttpd package, as shipped with Extra Packages for Enterprise Linux 4 (EPEL-4) -- lighttpd-1.4.23-1.el4, and 5 (EPEL-5) -- lighttpd-1.4.23-1.el5 projects. Please fix.
Created attachment 395462 [details] lighttpd 1.4.26 srpm Integrates spawn_fcgi-1.6.23 here it is, as-is, please review before distributing. Tested on Centos 5.latest + EPEL.
spawn-fcgi-1.6.2-1.el5.1,lighttpd-1.4.26-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/spawn-fcgi-1.6.2-1.el5.1,lighttpd-1.4.26-2.el5
lighttpd-1.4.26-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc11
lighttpd-1.4.26-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc12
spawn-fcgi-1.6.2-1.el4.1,lighttpd-1.4.26-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/spawn-fcgi-1.6.2-1.el4.1,lighttpd-1.4.26-2.el4
lighttpd-1.4.26-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc13
lighttpd-1.4.26-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.26-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.26-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
spawn-fcgi-1.6.2-1.el5.1, lighttpd-1.4.26-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
spawn-fcgi-1.6.2-1.el4.1, lighttpd-1.4.26-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.