Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-1303-1 lighttpd -- denial of service

Date Reported:

10 Jun 2007

Affected Packages:

lighttpd

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 422254.
In Mitre's CVE dictionary: CVE-2007-1870, CVE-2007-1869.

More information:

Two problems were discovered with lighttpd, a fast webserver with minimal memory footprint, which could allow denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2007-1869

  Remote attackers could cause denial of service by disconnecting partway through making a request.

• CVE-2007-1870

  A NULL pointer dereference could cause a crash when serving files with a mtime of 0.

For the stable distribution (etch) these problems have been fixed in version 1.4.13-4etch1.

For the unstable distribution (sid) these problems have been fixed in version 1.4.14-1.

We recommend that you upgrade your lighttpd package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1.dsc

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1.diff.gz

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch1_all.deb

Alpha:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_alpha.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_alpha.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_alpha.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_alpha.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_alpha.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_amd64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_amd64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_amd64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_amd64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_amd64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_arm.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_arm.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_arm.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_arm.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_arm.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_arm.deb

HPPA:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_hppa.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_hppa.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_hppa.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_hppa.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_hppa.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_hppa.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_i386.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_i386.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_i386.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_i386.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_i386.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_ia64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_ia64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_ia64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_ia64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_ia64.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_ia64.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_mips.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_mips.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_mips.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_mips.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_mips.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_mipsel.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_mipsel.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_mipsel.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_mipsel.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_mipsel.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_powerpc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_powerpc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_powerpc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_powerpc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_powerpc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_s390.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_s390.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_s390.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_s390.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_s390.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch1_sparc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch1_sparc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch1_sparc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch1_sparc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch1_sparc.deb

http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

This page is also available in the following languages:

dansk Deutsch français svenska

How to set the default document language