Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Sep 2008 16:55:06 +0200
From: Christian Hoffmann <hoffie@...too.org>
To: coley@...re.org
CC: vendor-sec@....de, darix@...nsu.se, stbuehler@....de, 
 oss-security@...ts.openwall.com
Subject: Re: CVE request: lighttpd issues

On 2008-09-24 18:15, Christian Hoffmann wrote:
> multiple security-related issues are going to be fixed in the
> soon-to-be-released version 1.4.20 of lighttpd, which all seem CVE-worthy.
1.4.20 has been released meanwhile. The issues along with their
advisories are public now, CC'ing oss-sec as such.
We still need CVEs for these three issues.


>   * Unexpected behavior of url.redirect / url.rewrite config options
> 
>     While this is not a security issue in lighttpd, the user might
>     rely on the fact, that those options are suppoosed to be matched
>     against the urldecoded version of the URL. Depending on the
>     configuration, this would allow for unwanted access to certain
>     resources (information disclosure or even manipulation of data)
>     References: [1] [2]
>
>   * Information disclosure w/ mod_userdir on case-insensitive file
>     systems
>     References: [3] [4]
>
>   * User-controllable memory leak, possibly leading to a Denial of
>     Service
>     References: [5] [6]
(There has been another request for a CVE for this entry on oss-sec)


> [1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
> [2]
> http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
> [3] http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
> [4] http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch
> [5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
> [6]
> http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch


-- 
Christian Hoffmann


Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.