[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Tue, 30 Sep 2008 16:55:06 +0200
From: Christian Hoffmann <hoffie@...too.org>
To: coley@...re.org
CC: vendor-sec@....de, darix@...nsu.se, stbuehler@....de,
oss-security@...ts.openwall.com
Subject: Re: CVE request: lighttpd issues
On 2008-09-24 18:15, Christian Hoffmann wrote:
> multiple security-related issues are going to be fixed in the
> soon-to-be-released version 1.4.20 of lighttpd, which all seem CVE-worthy.
1.4.20 has been released meanwhile. The issues along with their
advisories are public now, CC'ing oss-sec as such.
We still need CVEs for these three issues.
> * Unexpected behavior of url.redirect / url.rewrite config options
>
> While this is not a security issue in lighttpd, the user might
> rely on the fact, that those options are suppoosed to be matched
> against the urldecoded version of the URL. Depending on the
> configuration, this would allow for unwanted access to certain
> resources (information disclosure or even manipulation of data)
> References: [1] [2]
>
> * Information disclosure w/ mod_userdir on case-insensitive file
> systems
> References: [3] [4]
>
> * User-controllable memory leak, possibly leading to a Denial of
> Service
> References: [5] [6]
(There has been another request for a CVE for this entry on oss-sec)
> [1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
> [2]
> http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
> [3] http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
> [4] http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch
> [5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
> [6]
> http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch
--
Christian Hoffmann
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux