Release date:
Updated on:
Affected Systems:
Lighttpd lighttpd 1.4.31
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2012-5533
Lighttpd is an open-source lightweight Web server.
When lighttpd 1.4.31 is processing some HTTP request headers, the "http_request_split_value ()" function (src/request. c) falls into an infinite loop when processing specially crafted "Connection" header fields. Attackers exploit this vulnerability to cause Lighttpd to reject services.
<* Source: Jesse Sipprell
Link: http://secunia.com/advisories/51268/
Http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Lighttpd
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch