FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-1531

This CVE name corresponds to:

Entered Topic
2008-04-13 lighttpd -- OpenSSL Error Queue Denial of Service Vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2008-1531
Phase Assigned(20080327)

Description

The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.

References

Source Reference
BUGTRAQ 20080331 rPSA-2008-0132-1 lighttpd
MISC http://trac.lighttpd.net/trac/ticket/285#comment:18
MISC http://trac.lighttpd.net/trac/ticket/285#comment:21
CONFIRM http://trac.lighttpd.net/trac/changeset/2136
CONFIRM http://trac.lighttpd.net/trac/changeset/2139
CONFIRM http://trac.lighttpd.net/trac/changeset/2140
CONFIRM https://bugs.gentoo.org/show_bug.cgi?id=214892
CONFIRM https://issues.rpath.com/browse/RPL-2407
CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132
DEBIAN DSA-1540
FEDORA FEDORA-2008-3343
FEDORA FEDORA-2008-3376
GENTOO GLSA-200804-08
SUSE SUSE-SR:2008:011
BID 28489
VUPEN ADV-2008-1063
OSVDB 43788
SECUNIA 29649
SECUNIA 29636
SECUNIA 29505
SECUNIA 29544
SECUNIA 30023
XF lighttpd-sslerror-dos(41545)