Date: Tue, 30 Sep 2008 17:03:09 +0200 From: Christian Hoffmann <hoffie@...too.org> To: coley@...re.org CC: vendor-sec@....de, darix@...nsu.se, stbuehler@....de, oss-security@...ts.openwall.com Subject: Re: CVE request: lighttpd issues Sorry for the spam, I fail.. On 2008-09-30 16:55, Christian Hoffmann wrote: > We still need CVEs for these three issues. Wrong, only two are remaining, see below. >> * Unexpected behavior of url.redirect / url.rewrite config options >> >> While this is not a security issue in lighttpd, the user might >> rely on the fact, that those options are suppoosed to be matched >> against the urldecoded version of the URL. Depending on the >> configuration, this would allow for unwanted access to certain >> resources (information disclosure or even manipulation of data) This one. >> >> * Information disclosure w/ mod_userdir on case-insensitive file >> systems And this one. >> >> * User-controllable memory leak, possibly leading to a Denial of >> Service This has been assigned CVE-2008-4298 already. -- Christian Hoffmann Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ