Debian Security Advisory

DSA-1645-1 lighttpd -- various

Date Reported:
06 Oct 2008
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2008-4298, CVE-2008-4359, CVE-2008-4360.
More information:

Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2008-4298

    A memory leak in the http_request_parse function could be used by remote attackers to cause lighttpd to consume memory, and cause a denial of service attack.

  • CVE-2008-4359

    Inconsistant handling of URL patterns could lead to the disclosure of resources a server administrator did not anticipate when using rewritten URLs.

  • CVE-2008-4360

    Upon filesystems which don't handle case-insensitive paths differently it might be possible that unanticipated resources could be made available by mod_userdir.

For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch11.

For the unstable distribution (sid), these problems will be fixed shortly.

We recommend that you upgrade your lighttpd package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.