From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1987-1
[email protected] http://www.debian.org/security/ Nico Golde February 2nd, 2010
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : lighttpd
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
Debian bug : none
CVE ID : CVE-2010-0295
Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad
memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to
old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.
For the oldstable distribution (etch), this problem has been fixed in
version 1.4.13-4etch12.
For the stable distribution (lenny), this problem has been fixed in
version 1.4.19-5+lenny1.
For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.
We recommend that you upgrade your lighttpd packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch12.dsc
Size/MD5 checksum: 1108 a2be7a82e20970071251e5ca71fc660c
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch12.diff.gz
Size/MD5 checksum: 39820 9f05aa3a52053d707be87c0f35912ec3
Architecture independent packages:
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch12_all.deb
Size/MD5 checksum: 101098 6c7d7bfa494d88c38e9d53d44afcf49e
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch12_alpha.deb
Size/MD5 checksum: 60370 f24388eda6bc606c663ef909d1484ba9
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch12_alpha.deb
Size/MD5 checksum: 320406 3fd29fadf48816d99fe9baf030bb9a1e
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch12_alpha.deb
Size/MD5 checksum: 65202 0d22456f747d42de3c957350ffda2025
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch12_alpha.deb
Size/MD5 checksum: 72124 c913f4124bc228ca345264763f19c164
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch12_alpha.deb
Size/MD5 checksum: 62148 50582d9263916db3e5c3add5b0c82f40
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch12_alpha.deb
Size/MD5 checksum: 65638 bc8798836eb898e969fa1c74ced2263d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch12_amd64.deb
Size/MD5 checksum: 61636 918877b620983d832971d5d3845f3c86
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch12_amd64.deb
Size/MD5 checksum: 59926 d72fad101197b9177348b3fdfe59020d
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch12_amd64.deb
Size/MD5 checksum: 64500 086df21a5fda61077c12b320407ccb26
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch12_amd64.deb
Size/MD5 checksum: 71032 bf00a3cd05e54d5aaa2cd91a9f79a5ac
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch12_amd64.deb
Size/MD5 checksum: 64836 f604cc138b5a8de2b52f468efb3f0031
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch12_amd64.deb
Size/MD5 checksum: 299794 08a9b33d69d1c7bb56d4b69a24205026
arm architecture (ARM)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch12_arm.deb
Size/MD5 checksum: 61288 46a866402e943311aaeb5cbfb0eba5e3
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch12_arm.deb
Size/MD5 checksum: 287600 eef09d18e1d37b7422adf10f06c97406
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch12_arm.deb
Size/MD5 checksum: 59154 66b50d93049f016e5e6447b8ef813902
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch12_arm.deb
Size/MD5 checksum: 63548 e90e7a91f702f3d65be26eeed1ac1987
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch12_arm.deb
Size/MD5 checksum: 63340 dfd3a3db7d5e74c5abe7d64f3ec0d7f6
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch12_arm.deb
Size/MD5 checksum: 70208 f8818b2dca75f3204d6d63946631904e
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch12_hppa.deb
Size/MD5 checksum: 59804 67c275ae5602378c9c4690c53bda26b0
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch12_hppa.deb
Size/MD5 checksum: 65376 4a4b7c631ad2ac9d112ecf58dba33edf
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)