Lighttpd: Denial of Service — GLSA 202210-12

A vulnerability has been discovered in lighttpd which could result in denial of service.

Affected packages

www-servers/lighttpd on all architectures
Affected versions < 1.4.67
Unaffected versions >= 1.4.67

Background

Lighttpd is a lightweight high-performance web server.

Description

Lighttpd's mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received.

Impact

An attacker can trigger a denial of service via making Lighttpd try to call an uninitialized function pointer.

Workaround

There is no known workaround at this time.

Resolution

All lighttpd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.67"
 

References

Release date
October 31, 2022

Latest revision
October 31, 2022: 1

Severity
low

Exploitable
remote

Bugzilla entries