lighttpd Security Announce: slow request DoS/OOM attack

Security Announce: slow request DoS/OOM attack

February 1st, 2010

Li Ming reported a serious bug in lighttpd:

If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.

See:

lighttpd_sa_2010_01.txt
Bug #2147

The bug is tracked as CVE-2010-0295.

As far as we know all versions are affected.

4 Responses to “Security Announce: slow request DoS/OOM attack”

bob Says:
February 2nd, 2010 at 01:46 AM No bug fix release?
heavy_load Says:
February 2nd, 2010 at 07:42 AM woohoo maybe eliminate lack of stability a little :) Thanks for updating lighttpd project
Konrad Says:
February 2nd, 2010 at 10:00 AM Please provide lighttpd 1.4.26 with this bugfix. It's easier for many people to install it than using svn or patch. Thanks :)
Jeremy Says:
February 2nd, 2010 at 10:37 PM Well, I guess I need to update my 1.5 server...

Sorry, comments are closed for this article.

lighttpd

Search

Sections

Sites

Security Announce: slow request DoS/OOM attack

February 1st, 2010

4 Responses to “Security Announce: slow request DoS/OOM attack”