On 06 Mar 15:05, mick wrote:
On Wed, 6 Mar 2013 13:09:20 +0000 Brett Parker iDunno@sommitrealweird.co.uk allegedly wrote:
lighttpd isn't my favourite, and I wouldn't run it on anything internet facing...
Why not? I have been doing so for years. Lighty has had memory leak problems (see the slow request vulnerability of a few years back for example) which could lead to DOS, but I don't recall it being particularly full of any more holes than any other internet facing server software.
I've seen a fair few holes in lighttpd, I don't actually recommend it for anything facing the general internet, but it is small...
Can you point to some examples? I may need to check my configurations.
Checkout security.debian.org and the CVEs ;)
The latest one for lighttpd, though, is just TLS/SSL problems, so fine as long as you're not using https :)
But mostly, I wouldn't run it on anything internet facing because it fell over when I was using it behind a proxy to run fastcgi scripts... if it can't deal with the simple things it tends to not go at the front.
:)