Debian DSA-1987-1 : lighttpd - denial of service

medium Nessus Plugin ID 44851

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.

Solution

Upgrade the lighttpd packages.

For the oldstable distribution (etch), this problem has been fixed in version 1.4.13-4etch12.

For the stable distribution (lenny), this problem has been fixed in version 1.4.19-5+lenny1.

See Also

https://www.debian.org/security/2010/dsa-1987

Plugin Details

Severity: Medium

ID: 44851

File Name: debian_DSA-1987.nasl

Version: 1.11

Type: local

Agent: unix

Published: 2/24/2010

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:lighttpd, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/2/2010

Reference Information

CVE: CVE-2010-0295

BID: 38036

CWE: 399

DSA: 1987