Skip to content

Home

Security Announce: slow request DoS/OOM attack

Li Ming reported a serious bug in lighttpd:

If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.

See:

The bug is tracked as CVE-2010-0295.

As far as we know all versions are affected.

1.4.25 - the slogan is a lie

We did some important bug fixes (some of them new since 1.4.24, and some older bugs). Only 2 small new features: traceback for lua errors and the SSL_CLIENT_* vars export for ssl client cert validation.

Downloads

1.4.24 - now with TLS SNI and money back guarantee

Update: There is a small regression in mod_magnet, see #1307

We finally added TLS SNI, and many other small improvements. We also fixed pipelining (that should fix problem with lighty as debian mirror) and some mod_fastcgi bugs - this should result in improved handling of overloaded and crashed backends (you know which one :D).

Important changes

  • Connection state handling (pipelining should work now)
  • FastCGI fixes: improved disabled-time handling, fixed bug in active-backends counter.
  • TLS SNI support

Downloads

1.4.23 - Leaving the nest

Time for a new release: spawn-fcgi is now going its own ways in an independent project (hence the release slogan; see https://redmine.lighttpd.net/projects/spawn-fcgi), wsgi applications in / should work now (use the fastcgi/scgi option “fix-root-scriptname”) and many other fixes and improvements.

Please note that the “X-Sendfile-Range” header did not make it into 1.4.23, and we will try a more powerful approach for 1.4.24 (see #2008).

Important changes

  • Fix workaround for incorrect path info/scriptname if fastcgi prefix is “/” (fixes #729)
  • Finally removed spawn-fcgi
  • Fix bug with FastCGI request id overflow under high load; just use always id 1 as we don’t use multiplexing. (thx jgray)
  • Workaround broken operating systems: check for trailing ‘/’ in filenames (fixes #1989)

Downloads

1.4.22 - Echoes

And here we are again… we had some bad regressions, so 1.4.22 was needed earlier than we expected and spawn-fcgi is still included in this release.

But spawn-fcgi 1.6.0 has been released, see https://redmine.lighttpd.net/projects/spawn-fcgi/news, so expect it to be removed soon.

Important Changes

  • Fix default vhost in mod_simple_vhost (fixes #1905)
  • Fix segfault in mod_scgi (fixes #1911)
  • Fix error handling in freebsd sendfile (fixes #1913)

Downloads

1.4.21 - “Yes we can… do another release”

Four and a half months after the release of 1.4.20 comes a new version in the stable branch of lighty: 1.4.21 is here.\ It is a bugfix release but also contains 3 small new features.\ We would like to thank everybody who reported bugs, especially the ones who provided patches.

spawn-fcgi warning

We decided to remove spawn-fcgi after this release from the lighttpd source, there is now a separate project for it:\ https://redmine.lighttpd.net/projects/spawn-fcgi

Important changes

  • Reverted fix for CVE-2008-4359 (too many regressions - see #1720 and r2362): do NOT use rewrite/redirect to protect specific urls!
  • Fixed a bug when server.max-connections was hit
  • SSLv2 disabled by default
  • New setting to disable returning of a 417 if “Expect: 100-continue” header is given:

    server.reject-expect-100-with-417 = "disable"
    

  • Settings that require numbers can now be strings too which get converted. Useful in conjunction wth env vars (thx andrewb)

  • mod_compress now supports caching through etags and last-modified
  • The annoying log entries about timeouted connections are now disabled by default and can be enabled with a new setting:

debug.log-timeouts = "enable"
* New $HTTP["language"] conditional (thx to petar) which allows interesting new configs like:
\$HTTP\["language"\] =\~ "(de\|it\|hr)" {\
url.redirect = ( "\^/\$" =\> "http://www.site.net/%1/" )\
}

Downloads

1.4.20 - Otherwise the terrorists win

After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out. We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system. Please pay special attention to the security announcements:

Download

  • lighttpd-1.4.20.tar.gz
    (sha1sum: 61790c02d9e96c3cb23ffd3907f1caee64c475dd
    md5sum: 7ce7eefb487682b61d9b06b41864c64a)
  • lighttpd-1.4.20.tar.bz2
    (sha1sum: e5944a40579e0f37c6a0eeb0ad751344b2d6006c
    md5sum: ed6ee0bb714f393219a32768d86984d8)

1.4.19 - Made in Germany

Long time no see.

It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5.1 Currently he ports it to glib2.

But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. cough Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix)

Download

  • lighttpd-1.4.19.tar.gz\ (sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee\ md5sum: cede410e7adee3ea14206749190a8b5d)
  • lighttpd-1.4.19.tar.bz2\ (sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc\ md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40)