Fedora Account System
Red Hat Associate
Red Hat Customer
Remotely exploitable denial of service (excessive use of memory) has been reported and corrected in lighttpd web server. From the upstream 'lighttpd_sa_2010_01' advisory: "If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes." Upstream advisory: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt Patches: a, v1.4.x http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710 b, v1.5 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711 Credit: Li Ming Upstream ticket (with reproducer): http://redmine.lighttpd.net/issues/2147
This issue affects the latest versions of the lighttpd package, as shipped with Fedora release of 11 (lighttpd-1.4.23-1.fc11) and 12 (lighttpd-1.4.23-1.fc12). This issue affects the latest versions of the lighttpd package, as shipped with Extra Packages for Enterprise Linux 4 (EPEL-4) -- lighttpd-1.4.23-1.el4, and 5 (EPEL-5) -- lighttpd-1.4.23-1.el5 projects. Please fix.
Created attachment 395462 [details] lighttpd 1.4.26 srpm Integrates spawn_fcgi-1.6.23 here it is, as-is, please review before distributing. Tested on Centos 5.latest + EPEL.
spawn-fcgi-1.6.2-1.el5.1,lighttpd-1.4.26-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/spawn-fcgi-1.6.2-1.el5.1,lighttpd-1.4.26-2.el5
lighttpd-1.4.26-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc11
lighttpd-1.4.26-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc12
spawn-fcgi-1.6.2-1.el4.1,lighttpd-1.4.26-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/spawn-fcgi-1.6.2-1.el4.1,lighttpd-1.4.26-2.el4
lighttpd-1.4.26-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/lighttpd-1.4.26-2.fc13
lighttpd-1.4.26-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.26-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
lighttpd-1.4.26-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
spawn-fcgi-1.6.2-1.el5.1, lighttpd-1.4.26-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
spawn-fcgi-1.6.2-1.el4.1, lighttpd-1.4.26-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.