lighttpd crashes in some cases and giving a remote DoS possibility

Bug #195380 reported by Stephan Ruegamer on 2008-02-25
258
Affects Status Importance Assigned to Milestone
lighttpd
Fix Released
Unknown
lighttpd (Debian)
Fix Released
Unknown
lighttpd (Ubuntu)
Medium
Stephan Ruegamer
Dapper
Medium
Emanuele Gentili
Edgy
Medium
Emanuele Gentili
Feisty
Medium
Emanuele Gentili
Gutsy
Medium
Emanuele Gentili
Hardy
Medium
Stephan Ruegamer

Bug Description

Binary package hint: lighttpd

At some highspeed situations lighttpd crashes with more FDs allocated then allowed by the system.

Upstream is aware of it in http://trac.lighttpd.net/trac/ticket/1562, debian knows this too...

No CVE filed so there is a security issue, but no CVE right now

Stephan Ruegamer (sadig) wrote :

lighttpd (1.4.18-1ubuntu3) hardy; urgency=low

  * debian/patches/90_maxfds_crash_fix.dpatch:
    - added patch from upstream to fix the maxfds issue
    - See: http://trac.lighttpd.net/trac/ticket/1562

 -- Stephan Hermann <email address hidden> Mon, 25 Feb 2008 11:51:57 +0100

Changed in lighttpd:
assignee: nobody → shermann
importance: Undecided → Medium
status: New → Fix Released
importance: Undecided → Medium
status: New → Confirmed
importance: Undecided → Medium
status: New → Confirmed
importance: Undecided → Medium
status: New → Confirmed
importance: Undecided → Medium
status: New → Confirmed
Changed in lighttpd:
assignee: nobody → emgent
status: Confirmed → In Progress
assignee: nobody → emgent
status: Confirmed → In Progress
assignee: nobody → emgent
status: Confirmed → In Progress
assignee: nobody → emgent
status: Confirmed → In Progress
Emanuele Gentili (emgent) wrote :

+lighttpd (1.4.18-1ubuntu1.1) gutsy; urgency=low
+
+ * SECURITY UPDATE:
+ + debian/patches/90_maxfds_crash_fix.dpatch:
+ - added patch from upstream to fix the maxfds issue (LP: #195380)
+ * References
+ + http://trac.lighttpd.net/trac/ticket/1562
+
+ -- Emanuele Gentili <email address hidden> Mon, 25 Feb 2008 16:21:40 +0100

Changed in lighttpd:
status: Unknown → New
status: Unknown → Confirmed
Changed in lighttpd:
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.1

---------------
lighttpd (1.4.18-1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE:
    + debian/patches/90_maxfds_crash_fix.dpatch:
      - added patch from upstream to fix the maxfds issue (LP: #195380)
  * References
    + http://trac.lighttpd.net/trac/ticket/1562

 -- Emanuele Gentili <email address hidden> Mon, 25 Feb 2008 16:21:40 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.3

---------------
lighttpd (1.4.13-9ubuntu4.3) feisty-security; urgency=low

  * SECURITY UPDATE:
    + debian/patches/90_maxfds_crash_fix.dpatch:
      - added patch from upstream to fix the maxfds issue (LP: #195380)
  * References
    + http://trac.lighttpd.net/trac/ticket/1562

 -- Emanuele Gentili <email address hidden> Mon, 25 Feb 2008 16:35:30 +0100

Changed in lighttpd:
status: In Progress → Fix Released
status: In Progress → Fix Released
Changed in lighttpd:
status: Confirmed → Fix Released
Changed in lighttpd:
status: In Progress → Fix Released
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.