Advisories » MGASA-2022-0369

Updated lighttpd packages fix security vulnerability

Publication date: 13 Oct 2022
Modification date: 13 Oct 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-37797 , CVE-2022-41556

Description

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function
pointer if an invalid HTTP request (websocket handshake) is received. It
leads to null pointer dereference which crashes the server. It could be
used by an external attacker to cause denial of service condition.
(CVE-2022-37797)

A resource leak in mod_fastcgi and mod_scgi could lead to a denial of
service after a large number of bad HTTP requests. (CVE-2022-41556)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=30912
• https://www.debian.org/security/2022/dsa-5243
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37797
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41556

SRPMS

8/core

• lighttpd-1.4.59-1.2.mga8