|Description||In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|lighttpd (PTS)||jessie, jessie (lts)||1.4.35-4+deb8u1||vulnerable|
|stretch (security), stretch (lts), stretch||1.4.45-1+deb9u1||fixed|
|bullseye (security), bullseye||1.4.59-1+deb11u2||fixed|
The information below is based on the following data on fixed versions.
[stretch] - lighttpd <not-affected> (Vulnerable code not present; the issue was introduced in later versions)