| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| core-101-upgrade-fails-if-Content-Length.patch | [PATCH] [core] 101 upgrade fails if Content-Length incl (fixes #3063) (thx daimh) commit 903024d7 in lighttpd 1.4.57 fixed issue #3046 but in the process broke HTTP/1.1 101 Switching Protocols which included Content-Length: 0 in the response headers. Content-Length response header is permitted by the RFCs, but not necessary with HTTP status 101 Switching Protocols. x-ref: "websocket proxy fails if 101 Switching Protocols from backend includes Content-Length" https://redmine.lighttpd.net/issues/3063 |
Glenn Strauss <gstrauss@gluelogic.com> | no | 2021-02-04 | ||
| mod_auth-close-HTTP-2-connection-after-bad-pass.patch | [PATCH] [mod_auth] close HTTP/2 connection after bad pass mitigation slows down brute force password attacks x-ref: "Possible feature: authentication brute force hardening" https://redmine.lighttpd.net/boards/3/topics/8885 |
Glenn Strauss <gstrauss@gluelogic.com> | no | 2021-02-06 | ||
| mod_extforward-fix-out-of-bounds-OOB-write.patch | [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) (thx povcfe) (edited: gstrauss) There is a potential remote denial of service in lighttpd mod_extforward under specific, non-default and uncommon 32-bit lighttpd mod_extforward configurations. Under specific, non-default and uncommon lighttpd mod_extforward configurations, a remote attacker can trigger a 4-byte out-of-bounds write of value '-1' to the stack. This is not believed to be exploitable in any way beyond triggering a crash of the lighttpd server on systems where the lighttpd server has been built 32-bit and with compiler flags which enable a stack canary -- gcc/clang -fstack-protector-strong or -fstack-protector-all, but bug not visible with only -fstack-protector. With standard lighttpd builds using -O2 optimization on 64-bit x86_64, this bug has not been observed to cause adverse behavior, even with gcc/clang -fstack-protector-strong. For the bug to be reachable, the user must be using a non-default lighttpd configuration which enables mod_extforward and configures mod_extforward to accept and parse the "Forwarded" header from a trusted proxy. At this time, support for RFC7239 Forwarded is not common in CDN providers or popular web server reverse proxies. It bears repeating that for the user to desire to configure lighttpd mod_extforward to accept "Forwarded", the user must also be using a trusted proxy (in front of lighttpd) which understands and actively modifies the "Forwarded" header sent to lighttpd. lighttpd natively supports RFC7239 "Forwarded" hiawatha natively supports RFC7239 "Forwarded" nginx can be manually configured to add a "Forwarded" header https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) in front of another 32-bit lighttpd will detect and reject a malicious "Forwarded" request header, thereby thwarting an attempt to trigger this bug in an upstream 32-bit lighttpd. The following servers currently do not natively support RFC7239 Forwarded: nginx apache2 caddy node.js haproxy squid varnish-cache litespeed Given the general dearth of support for RFC7239 Forwarded in popular CDNs and web server reverse proxies, and given the prerequisites in lighttpd mod_extforward needed to reach this bug, the number of lighttpd servers vulnerable to this bug is estimated to be vanishingly small. Large systems using reverse proxies are likely running 64-bit lighttpd, which is not known to be adversely affected by this bug. In the future, it is desirable for more servers to implement RFC7239 Forwarded. lighttpd developers would like to thank povcfe for reporting this bug so that it can be fixed before more CDNs and web servers implement RFC7239 Forwarded. x-ref: "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" https://redmine.lighttpd.net/issues/3134 (not yet written or published) CVE-2022-22707 |
povcfe <povcfe@qq.com> | no | 2022-01-05 | ||
| CVE-2022-37797.patch | commit 971773f1fae600074b46ef64f3ca1f76c227985f [mod_wstunnel] fix crash with bad hybivers (fixes #3165) (thx MichaĆ Dardas) x-ref: "mod_wstunnel null pointer dereference" https://redmine.lighttpd.net/issues/3165 diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c index 42886f0d..ce371bf7 100644 |
Glenn Strauss <gstrauss@gluelogic.com> | no | 2022-08-03 | ||
| CVE-2022-41556.patch | commit b18de6f9264f914f7bf493abd3b6059343548e50 [core] handle RDHUP when collecting chunked body handle RDHUP as soon as RDHUP detected when collecting HTTP/1.1 chunked request body (and when not streaming request body to backend) x-ref: https://github.com/lighttpd/lighttpd1.4/pull/115 |
Glenn Strauss <gstrauss@gluelogic.com> | no | 2022-09-11 |