Hi Glenn, On Fri, Aug 15, 2025 at 03:19:14AM -0400, Glenn Strauss wrote: > Salvatore: lighttpd is not directly vulnerable to HTTP/2 MadeYouReset > > As published in https://kb.cert.org/vuls/id/767506 > > Vendor Statement > > > > lighttpd is not directly vulnerable to HTTP/2 MadeYouReset. lighttpd tracks > > request streams with connections to backends, makes a single request on > > each backend socket connection, and closes the socket (or kill()s the CGI) > > when the request stream is reset. > > > On Fri, Aug 15, 2025 at 06:09:43AM +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for lighttpd. > > CVE-2025-8671[0]: > > *** > Please contact security at lighttpd.net prior to filing a CVE > and prior to publishing a CVE. > *** > > lighttpd 1.4.80 adds *detection* of HTTP/2 MadeYouReset so that log > watchers such as fail2ban can be configured to block offending IPs.
Right, and this is the mentioned references in the bugeport: https://www.lighttpd.net/2025/8/13/1.4.80/ https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 > I see now that the lighttpd release notes could have been more explicit > that lighttpd is not directly vulnerable to MadeYouReset, the same way > that lighttpd was not directly vulnerable to Rapid Reset attacks. > > While lighttpd 1.4.80 will close connections to offending clients, > an attacker can merely reconnect and continue the attack, so the > disconnection is a small mitigation. At the end of the day, a DoS > attack is a DoS attack and more effective blocks can be performed > at the firewall or upstream, especially across a farm of independent > lighttpd servers. > > Adding detection and error logging for independent lighttpd servers > across a server farm is one of the reasons lighttpd 1.4.80 adds > detection and logging for MadeYouReset attacks. Thanks, this make sense, we will update the status for the security-tracker in Debian. That is it is surely sensible to make the 1.4.80 update for unstable and so forky and maybe if feasible add this dedection back as well for trixie and bookworm, what is your take? (this via upcoming point releases). Regards, Salvatore
