Debian DSA-1987-1 : lighttpd - denial of service

medium Nessus Plugin ID 44851



The remote Debian host is missing a security-related update.


Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.


Upgrade the lighttpd packages.

For the oldstable distribution (etch), this problem has been fixed in version 1.4.13-4etch12.

For the stable distribution (lenny), this problem has been fixed in version 1.4.19-5+lenny1.

See Also

Plugin Details

Severity: Medium

ID: 44851

File Name: debian_DSA-1987.nasl

Version: 1.11

Type: local

Agent: unix

Published: 2/24/2010

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information


Risk Factor: Low

Score: 2.2


Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:lighttpd, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/2/2010

Reference Information

CVE: CVE-2010-0295

BID: 38036

CWE: 399

DSA: 1987