CVE-2022-41556

CVE-2022-41556

Name

CVE-2022-41556

Description

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/lighttpd/lighttpd1.4/pull/115
MISC	https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50
MISC	https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67
GENTOO	https://security.gentoo.org/glsa/202210-12
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/

Type

URI

MISC

https://github.com/lighttpd/lighttpd1.4/pull/115

MISC

https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50

MISC

https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67

GENTOO

https://security.gentoo.org/glsa/202210-12

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:lighttpd:lighttpd::::::::`	lighttpd	>= 1.4.56	< 1.4.67

CPE URI

Source package

Min version

Max version

cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*

lighttpd

>= 1.4.56

< 1.4.67

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
lighttpd	edge-main	1.4.67-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
lighttpd	edge-main	1.4.64-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
lighttpd	3.22-main	1.4.67-r0	None	fixed
lighttpd	3.22-main	1.4.64-r0	None	possibly vulnerable
lighttpd	3.21-main	1.4.67-r0	None	fixed
lighttpd	3.21-main	1.4.64-r0	None	possibly vulnerable
lighttpd	3.20-main	1.4.67-r0	None	fixed
lighttpd	3.20-main	1.4.64-r0	None	possibly vulnerable
lighttpd	3.19-main	1.4.67-r0	None	fixed
lighttpd	3.19-main	1.4.64-r0	None	possibly vulnerable
lighttpd	3.18-main	1.4.67-r0	None	fixed
lighttpd	3.17-main	1.4.67-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

lighttpd

edge-main

1.4.67-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

lighttpd

edge-main