Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Sep 2008 17:03:09 +0200
From: Christian Hoffmann <hoffie@...too.org>
To: coley@...re.org
CC: vendor-sec@....de, darix@...nsu.se, stbuehler@....de, 
 oss-security@...ts.openwall.com
Subject: Re: CVE request: lighttpd issues

Sorry for the spam, I fail..

On 2008-09-30 16:55, Christian Hoffmann wrote:
> We still need CVEs for these three issues.
Wrong, only two are remaining, see below.

>>   * Unexpected behavior of url.redirect / url.rewrite config options
>>
>>     While this is not a security issue in lighttpd, the user might
>>     rely on the fact, that those options are suppoosed to be matched
>>     against the urldecoded version of the URL. Depending on the
>>     configuration, this would allow for unwanted access to certain
>>     resources (information disclosure or even manipulation of data)
This one.

>>
>>   * Information disclosure w/ mod_userdir on case-insensitive file
>>     systems
And this one.

>>
>>   * User-controllable memory leak, possibly leading to a Denial of
>>     Service
This has been assigned CVE-2008-4298 already.


-- 
Christian Hoffmann


Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ