Title: Lighttpd SSL Error Denial of Service Vulnerability
Severity: MODERATE
Description:
The 'lighttpd' program is a freely available webserver application.
The application is prone to a remote denial-of-service vulnerability. Specifically, triggering an SSL error in one SSL session will cause all active SSL sessions on the server to terminate. Reportedly, disconnecting before a download has finished is enough to trigger this issue.
Successfully exploiting this issue allows remote attackers to close foreign SSL connections, denying service to legitimate users.
The issue affects lighttpd 1.4.19 and prior versions.
Affected Products:
- Debian Linux 4.0
- Debian Linux 4.0 alpha
- Debian Linux 4.0 amd64
- Debian Linux 4.0 arm
- Debian Linux 4.0 hppa
- Debian Linux 4.0 ia-32
- Debian Linux 4.0 ia-64
- Debian Linux 4.0 m68k
- Debian Linux 4.0 mips
- Debian Linux 4.0 mipsel
- Debian Linux 4.0 powerpc
- Debian Linux 4.0 s/390
- Debian Linux 4.0 sparc
- Gentoo Linux
- Gentoo Linux 2007.0
- Linux kernel 2.6.5
- RedHat Fedora 7
- RedHat Fedora 8
- RedHat Fedora 9
- S.u.S.E. Linux 10.1 ppc
- S.u.S.E. Linux 10.1 x86
- S.u.S.E. Linux 10.1 x86-64
- S.u.S.E. Linux Enterprise Server 10
- S.u.S.E. openSUSE 10.2
- S.u.S.E. openSUSE 10.3
- lighttpd lighttpd 1.4.0
- lighttpd lighttpd 1.4.1
- lighttpd lighttpd 1.4.10
- lighttpd lighttpd 1.4.10a
- lighttpd lighttpd 1.4.11
- lighttpd lighttpd 1.4.12
- lighttpd lighttpd 1.4.13
- lighttpd lighttpd 1.4.14
- lighttpd lighttpd 1.4.15
- lighttpd lighttpd 1.4.16
- lighttpd lighttpd 1.4.17
- lighttpd lighttpd 1.4.18
- lighttpd lighttpd 1.4.19
- lighttpd lighttpd 1.4.2
- lighttpd lighttpd 1.4.3
- lighttpd lighttpd 1.4.4
- lighttpd lighttpd 1.4.5
- lighttpd lighttpd 1.4.6
- lighttpd lighttpd 1.4.7
- lighttpd lighttpd 1.4.8
- lighttpd lighttpd 1.4.9
- rPath rPath Linux 1
References:
- Gentoo: Gentoo Bug 214892
- lighttpd: Ticket #285 (reopened defect)
- lighttpd: lighttpd Changeset 2136
- lighttpd: lighttpd Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
