National Cyber Awareness System

Vulnerability Summary for CVE-2010-0295

Overview

lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 38036

Type: Patch Information; Exploit

Hyperlink:http://www.securityfocus.com/bid/38036

External Source: CONFIRM

Name: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt

Type: Patch Information

Hyperlink:http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt

External Source: CONFIRM

Name: http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch

Type: Patch Information

Hyperlink:http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch

External Source: CONFIRM

Name: http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch

Type: Patch Information

Hyperlink:http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch

External Source: XF

Name: lighttpd-slow-request-dos(56038)

Hyperlink:http://xforce.iss.net/xforce/xfdb/56038

External Source: VUPEN

Name: ADV-2011-0172

Hyperlink:http://www.vupen.com/english/advisories/2011/0172

External Source: MLIST

Name: [oss-security] 20100202 lighttpd: slow request dos/oom attack [CVE-2010-0295]

Hyperlink:http://www.openwall.com/lists/oss-security/2010/02/01/8

External Source: DEBIAN

Name: DSA-1987

Hyperlink:http://www.debian.org/security/2010/dsa-1987

External Source: GENTOO

Name: GLSA-201006-17

Hyperlink:http://security.gentoo.org/glsa/glsa-201006-17.xml

External Source: SECUNIA

Name: 39765

Hyperlink:http://secunia.com/advisories/39765

External Source: SECUNIA

Name: 38403

Type: Advisory

Hyperlink:http://secunia.com/advisories/38403

External Source: CONFIRM

Name: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711

Hyperlink:http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711

External Source: CONFIRM

Name: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710

Hyperlink:http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710

External Source: CONFIRM

Name: http://redmine.lighttpd.net/issues/2147

Hyperlink:http://redmine.lighttpd.net/issues/2147

External Source: SUSE

Name: SUSE-SR:2010:003

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html

External Source: FEDORA

Name: FEDORA-2010-7643

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041307.html

External Source: FEDORA

Name: FEDORA-2010-7611

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041296.html

External Source: FEDORA

Name: FEDORA-2010-7636

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041264.html

External Source: CONFIRM

Name: http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in

Hyperlink:http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in