Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2008-4298

Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.

Related bugs and status

CVE-2008-4298 (Candidate) is related to these bugs:

Bug #279490: new lighttpd security fixes

		In	Importance	Status
279490	new lighttpd security fixes	lighttpd (Ubuntu)	Undecided	Fix Released
279490	new lighttpd security fixes	lighttpd (Ubuntu Dapper)	Undecided	Confirmed
279490	new lighttpd security fixes	lighttpd (Ubuntu Gutsy)	Undecided	Won't Fix
279490	new lighttpd security fixes	lighttpd (Ubuntu Hardy)	Undecided	Fix Released
279490	new lighttpd security fixes	lighttpd (Ubuntu Jaunty)	Undecided	Fix Released
279490	new lighttpd security fixes	lighttpd (Ubuntu Intrepid)	Undecided	Invalid

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2008092...
CONFIRM: http://bugs.gentoo.org...
CONFIRM: http://trac.lighttpd.n...
CONFIRM: http://trac.lighttpd.n...
CONFIRM: http://www.lighttpd.ne...
DEBIAN: DSA-1645
SECUNIA: 32132
BID: 31434
SECUNIA: 32069
CONFIRM: http://wiki.rpath.com/...
SUSE: SUSE-SR:2008:026
SECUNIA: 32834
GENTOO: GLSA-200812-04
SECUNIA: 32972
CONFIRM: http://wiki.rpath.com/...
SECUNIA: 32480
VUPEN: ADV-2008-2741
XF: lighttpd-httprequestpa...
BUGTRAQ: 20081030 rPSA-2008-030...