Source: lighttpd Version: 1.4.79-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for lighttpd. CVE-2025-8671[0]: | A mismatch caused by client-triggered server-sent stream resets | between HTTP/2 specifications and the internal architectures of some | HTTP/2 implementations may result in excessive server resource | consumption leading to denial-of-service (DoS). By opening streams | and then rapidly triggering the server to reset them—using malformed | frames or flow control errors—an attacker can exploit incorrect | stream accounting. Streams reset by the server are considered closed | at the protocol level, even though backend processing continues. | This allows a client to cause the server to handle an unbounded | number of concurrent streams on a single connection. This CVE will | be updated as affected product details are released. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-8671 https://www.cve.org/CVERecord?id=CVE-2025-8671 [1] https://kb.cert.org/vuls/id/767506 [2] https://www.lighttpd.net/2025/8/13/1.4.80/ [3] https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
