Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.
The Common Vulnerabilities and Exposures project identifies the
following problems:
- CVE-2008-0983
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not
properly calculate the size of a file descriptor array, which allows
remote attackers to cause a denial of service (crash) via a large number
of connections, which triggers an out-of-bounds access.
- CVE-2007-3948
connections.c in lighttpd before 1.4.16 might accept more connections
than the configured maximum, which allows remote attackers to cause a
denial of service (failed assertion) via a large number of connection
attempts.
For the stable distribution (etch), these problems have been fixed in
version 1.4.13-4etch9.
For the unstable distribution (sid), these problems have been fixed in
version 1.4.18-2.
We recommend that you upgrade your lighttpd package.