On Fri, Aug 15, 2025 at 09:40:39PM +0200, Salvatore Bonaccorso wrote: > Hi Glenn, > > On Fri, Aug 15, 2025 at 03:19:14AM -0400, Glenn Strauss wrote: > > Salvatore: lighttpd is not directly vulnerable to HTTP/2 MadeYouReset > > > > As published in https://kb.cert.org/vuls/id/767506 > > > Vendor Statement > > > > > > lighttpd is not directly vulnerable to HTTP/2 MadeYouReset. lighttpd > > > tracks request streams with connections to backends, makes a single > > > request on each backend socket connection, and closes the socket (or > > > kill()s the CGI) when the request stream is reset. > > > > > > On Fri, Aug 15, 2025 at 06:09:43AM +0200, Salvatore Bonaccorso wrote: > > > The following vulnerability was published for lighttpd. > > > CVE-2025-8671[0]: > > > > *** > > Please contact security at lighttpd.net prior to filing a CVE > > and prior to publishing a CVE. > > *** > > > > lighttpd 1.4.80 adds *detection* of HTTP/2 MadeYouReset so that log > > watchers such as fail2ban can be configured to block offending IPs. > > Right, and this is the mentioned references in the bugeport: > https://www.lighttpd.net/2025/8/13/1.4.80/ > https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 > > > I see now that the lighttpd release notes could have been more explicit > > that lighttpd is not directly vulnerable to MadeYouReset, the same way > > that lighttpd was not directly vulnerable to Rapid Reset attacks. > > > > While lighttpd 1.4.80 will close connections to offending clients, > > an attacker can merely reconnect and continue the attack, so the > > disconnection is a small mitigation. At the end of the day, a DoS > > attack is a DoS attack and more effective blocks can be performed > > at the firewall or upstream, especially across a farm of independent > > lighttpd servers. > > > > Adding detection and error logging for independent lighttpd servers > > across a server farm is one of the reasons lighttpd 1.4.80 adds > > detection and logging for MadeYouReset attacks. > > Thanks, this make sense, we will update the status for the > security-tracker in Debian. > > That is it is surely sensible to make the 1.4.80 update for unstable > and so forky and maybe if feasible add this dedection back as well > for trixie and bookworm, what is your take? (this via upcoming point > releases). > > Regards, > Salvatore
I plan to submit updated packages for lighttpd 1.4.81 in early Sept before the Trixie point release. I will be AFK for a few weeks, and do not want to rush changes if I won't be able to respond in a timely manner. In the meantime, if Debian Developers would like to backport the lighttpd 1.4.80 MadeYouReset detection patch to lighttpd 1.4.79, please go ahead: https://github.com/lighttpd/lighttpd1.4/commit/8442ca4c699566cdd7369e09690926f403b54fc9 Otherwise, I plan to do so in September. Cheers, Glenn
