Amazon Linux 1 Security Advisory: ALAS-2013-179
Advisory Release Date: 2013-04-11 17:24 Pacific
Advisory Updated Date: 2014-09-15 22:49 Pacific
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
Affected Packages:
lighttpd
Issue Correction:
Run yum update lighttpd to update your system.
i686:
lighttpd-mod_geoip-1.4.31-1.5.amzn1.i686
lighttpd-debuginfo-1.4.31-1.5.amzn1.i686
lighttpd-1.4.31-1.5.amzn1.i686
lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.i686
lighttpd-fastcgi-1.4.31-1.5.amzn1.i686
src:
lighttpd-1.4.31-1.5.amzn1.src
x86_64:
lighttpd-debuginfo-1.4.31-1.5.amzn1.x86_64
lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.x86_64
lighttpd-mod_geoip-1.4.31-1.5.amzn1.x86_64
lighttpd-fastcgi-1.4.31-1.5.amzn1.x86_64
lighttpd-1.4.31-1.5.amzn1.x86_64