Critical vulnerability in lighttpd, DoS
From the official site
Security Announce: slow request DoS / OOM attack
February 1st, 2010
Li Ming reported a serious bug in lighttpd:
If you send the request data very slow (eg sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.
As far as we know all versions are affected.
If you send data at large intervals (for example, pause 0.01 seconds after each byte), then Lighty will start to use all available memory and fill up (especially in the case of parallel requests), this allows you to organize a denial of service for several minutes.
As far as the developers know, all versions of the server contain a bug.
link to bug in tracker and patch
Prerelease 1.4.26 with fix (via eugeneorlov )
Fix for Debian (via esten )