oss-security - lighttpd 1.4.32 released, fixing CVE-2012-5533

Products
- Openwall GNU/*/Linux server OS
- John the Ripper password cracker
  - Free & Open Source for any platform
  - Pro for Linux (RPM package)
  - Pro for Mac OS X (dmg package)
- Wordlists for password cracking
- passwdqc policy enforcement
- phpass password hashing in PHP
- crypt_blowfish ditto in C/C++
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
Services
Publications
- Articles
- Presentations
Community
- Mailing lists
- Community wiki
- Donations
Resources
- Source code repository (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- Password recovery resources
- Recommended books
What's new

Date: Wed, 21 Nov 2012 13:20:13 +0100 From: Stefan Bühler <stbuehler@...httpd.net> To: oss-security@...ts.openwall.com Cc: lighttpd-announce@...ts.lighttpd.net Subject: lighttpd 1.4.32 released, fixing CVE-2012-5533 Hi, we just released lighttpd 1.4.32, fixing a DoS reported by Jesse Sipprell from McClatchy Interactive, Inc. Sending "Connection: TE,,Keep-Alive" as header will trigger an endless loop; as lighttpd is single threaded all request handling will stop immediately. Only lighttpd 1.4.31 is affected by this. For more details and other changes see: * www.lighttpd.net/2012/11/21/1-4-32/ * download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt Regards, Stefan [ CONTENT OF TYPE application/pgp-signature SKIPPED ]