Bug 1226456 (CVE-2018-25103)

Summary:	VUL-0: CVE-2018-25103: lighttpd: There exists a use-after-free-vulnerability in lighttpd <= 1.4.50 that can allow access to do a case-insensitive comparison against the reused pointer.
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Marcus Rückert <mrueckert>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	andrea.mattiazzo, mrueckert, stoyan.manolov
Version:	unspecified	Flags:	andrea.mattiazzo: needinfo? (mrueckert)
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/411128/
Whiteboard:	CVSSv3.1:SUSE:CVE-2018-25103:8.2:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-06-18 04:42:18 UTC

There exists a use-after-free-vulnerability in lighttpd <= 1.4.50 that can allow access to do a case-insensitive comparison against the reused pointer.

References:
https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25103
https://www.cve.org/CVERecord?id=CVE-2018-25103
https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736
https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9
https://www.binarly.io/blog/lighttpd-gains-new-life
https://www.runzero.com/blog/lighttpd/