ALAS-2013-179


Amazon Linux AMI Security Advisory: ALAS-2013-179
Advisory Release Date: 2014-09-15 22:49 Pacific
Severity: Medium
References: CVE-2012-5533 

Issue Overview:

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.


Affected Packages:

lighttpd


Issue Correction:
Run yum update lighttpd to update your system.

New Packages:
i686:
    lighttpd-mod_geoip-1.4.31-1.5.amzn1.i686
    lighttpd-debuginfo-1.4.31-1.5.amzn1.i686
    lighttpd-1.4.31-1.5.amzn1.i686
    lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.i686
    lighttpd-fastcgi-1.4.31-1.5.amzn1.i686

src:
    lighttpd-1.4.31-1.5.amzn1.src

x86_64:
    lighttpd-debuginfo-1.4.31-1.5.amzn1.x86_64
    lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.x86_64
    lighttpd-mod_geoip-1.4.31-1.5.amzn1.x86_64
    lighttpd-fastcgi-1.4.31-1.5.amzn1.x86_64
    lighttpd-1.4.31-1.5.amzn1.x86_64