Critical vulnerability in lighttpd, DoS

From the official site

Security Announce: slow request DoS / OOM attack
February 1st, 2010

Li Ming reported a serious bug in lighttpd:
')
If you’ve sent a request for data, it’s possible to use it at all times.

As far as we know all versions are affected.

Transfer

If you send data with large intervals (for example, to pause 0.01 seconds after each byte), Light will begin to use all available memory and collapse (especially in the case of parallel requests), this allows you to organize a denial of service within a few minutes.

As far as developers know, all server versions contain a bug.

link to the bug in the tracker and patch
Prerelease 1.4.26 with correction (via eugeneorlov )
Debian fix (via esten )

Be carefull!