Candidate: CVE-2012-5533
PublicDate: 2012-11-24 20:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533
 http://www.securitytracker.com/id?1027802
 http://www.openwall.com/lists/oss-security/2012/11/21/1
 http://www.exploit-db.com/exploits/22902
 http://secunia.com/advisories/51298
 http://secunia.com/advisories/51268
 http://osvdb.org/87623
 http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
 http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
Description:
 The http_request_split_value function in request.c in lighttpd before
 1.4.32 allows remote attackers to cause a denial of service (infinite loop)
 via a request with a header containing an empty token, as demonstrated
 using the "Connection: TE,,Keep-Alive" header.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_lighttpd:
 upstream: http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
upstream_lighttpd: released (1.4.31-2)
hardy_lighttpd: not-affected (1.4.19-0ubuntu3.1)
lucid_lighttpd: not-affected (1.4.26-1.1ubuntu3.1)
oneiric_lighttpd: not-affected (1.4.28-2ubuntu2.1)
precise_lighttpd: not-affected (1.4.28-2ubuntu4)
quantal_lighttpd: not-affected (1.4.28-2ubuntu4)
devel_lighttpd: not-affected (1.4.28-2ubuntu4)