Executive Summary

Summary
Title lighttpd: Denial of Service
Informations
Name GLSA-201006-17 First vendor Publication 2010-06-03
Vendor Gentoo Last vendor Modification 2010-06-03
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A processing error in lighttpd might result in a Denial of Service condition.

Background

lighttpd is a lightweight high-performance web server.

Description

Li Ming reported that lighttpd does not properly process packets that are sent overly slow.

Impact

A remote attacker might send specially crafted packets to a server running lighttpd, possibly resulting in a Denial of Service condition via host memory exhaustion.

Workaround

There is no known workaround at this time.

Resolution

All lighttpd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.25-r1"

References

[ 1 ] CVE-2010-0295 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0295

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201006-17.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201006-17.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13441
 
Oval ID: oval:org.mitre.oval:def:13441
Title: DSA-1987-1 lighttpd -- denial of service
Description: Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion. For the oldstable distribution, this problem has been fixed in version 1.4.13-4etch12. For the stable distribution, this problem has been fixed in version 1.4.19-5+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your lighttpd packages.
Family: unix Class: patch
Reference(s): DSA-1987-1
CVE-2010-0295
 Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): lighttpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7142
 
Oval ID: oval:org.mitre.oval:def:7142
Title: DSA-1987 lighttpd -- denial of service
Description: Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.
Family: unix Class: patch
Reference(s): DSA-1987
CVE-2010-0295
 Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): lighttpd
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 66

OpenVAS Exploits

Date Description
2011-03-09 Name : Gentoo Security Advisory GLSA 201006-17 (lighttpd)
File : nvt/glsa_201006_17.nasl
2010-05-17 Name : Fedora Update for lighttpd FEDORA-2010-7636
File : nvt/gb_fedora_2010_7636_lighttpd_fc11.nasl
2010-05-17 Name : Fedora Update for lighttpd FEDORA-2010-7643
File : nvt/gb_fedora_2010_7643_lighttpd_fc12.nasl
2010-02-18 Name : FreeBSD Ports: lighttpd
File : nvt/freebsd_lighttpd6.nasl
2010-02-10 Name : Debian Security Advisory DSA 1987-1 (lighttpd)
File : nvt/deb_1987_1.nasl
2010-02-02 Name : lighttpd Slow Request Handling Remote Denial Of Service Vulnerability
File : nvt/lighttpd_38036.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
62068 lighttpd HTTP Session Memory Exhaustion Remote DoS

Nessus® Vulnerability Scanner

Date Description
2018-02-06 Name : The remote web server is affected by a denial of service vulnerability
File : lighttpd_1_4_26.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_lighttpd_20140721.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-7611.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-7636.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-7643.nasl - Type : ACT_GATHER_INFO
2010-06-04 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201006-17.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1987.nasl - Type : ACT_GATHER_INFO
2010-02-17 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_1a3bd81f1b2511dfbd1a002170daae37.nasl - Type : ACT_GATHER_INFO
2010-02-09 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_lighttpd-100203.nasl - Type : ACT_GATHER_INFO
2010-02-09 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_lighttpd-100203.nasl - Type : ACT_GATHER_INFO
2010-02-09 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_lighttpd-100203.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:36:54
  • Multiple Updates