Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0983 lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. CVE-2007-3948 connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch9. For the unstable distribution (sid), these problems have been fixed in version 1.4.18-2. We recommend that you upgrade your lighttpd package.
Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.
The Common Vulnerabilities and Exposures project identifies the following problems:
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.
connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.
For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch9.
For the unstable distribution (sid), these problems have been fixed in version 1.4.18-2.
We recommend that you upgrade your lighttpd package.
MD5 checksums of the listed files are available in the original advisory.