Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1111 to the following vulnerability: When mod_cgi running onlighttpd is unable to fork anymore (for instance if ulimit is reached) lighty sends the full source of the cgi script. This is rather serious and affects all users of mod_cgi. The patch (found at lighttpd's subversion repository) returns a 500 response instead. References: http://trac.lighttpd.net/trac/changeset/2107 http://bugs.gentoo.org/show_bug.cgi?id=211956
lighttpd-1.4.18-6.fc8 has been submitted as an update for Fedora 8
lighttpd-1.4.18-3.fc7 has been submitted as an update for Fedora 7
lighttpd-1.4.18-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.18-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2278
Reporter changed to security-response-team by request of Jay Turner.