Re: CVE request: lighttpd issues

[Christian Hoffmann <hoffie () gentoo org>]

On 2008-09-24 18:15, Christian Hoffmann wrote:
> multiple security-related issues are going to be fixed in the
> soon-to-be-released version 1.4.20 of lighttpd, which all seem CVE-worthy.
1.4.20 has been released meanwhile. The issues along with their
advisories are public now, CC'ing oss-sec as such.
We still need CVEs for these three issues.


>   * Unexpected behavior of url.redirect / url.rewrite config options
>
>     While this is not a security issue in lighttpd, the user might
>     rely on the fact, that those options are suppoosed to be matched
>     against the urldecoded version of the URL. Depending on the
>     configuration, this would allow for unwanted access to certain
>     resources (information disclosure or even manipulation of data)
>     References: [1] [2]
>
>   * Information disclosure w/ mod_userdir on case-insensitive file
>     systems
>     References: [3] [4]
>
>   * User-controllable memory leak, possibly leading to a Denial of
>     Service
>     References: [5] [6]
(There has been another request for a CVE for this entry on oss-sec)


> [1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
> [2]
> http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
> [3] http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
> [4] http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch
> [5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
> [6]
> http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch


-- 
Christian Hoffmann

Attachment: signature.asc
Description: OpenPGP digital signature