oss-sec mailing list archives
Re: CVE request: lighttpd issues
From: Christian Hoffmann <hoffie () gentoo org>
Date: Tue, 30 Sep 2008 16:55:06 +0200
On 2008-09-24 18:15, Christian Hoffmann wrote:
multiple security-related issues are going to be fixed in the soon-to-be-released version 1.4.20 of lighttpd, which all seem CVE-worthy.
1.4.20 has been released meanwhile. The issues along with their advisories are public now, CC'ing oss-sec as such. We still need CVEs for these three issues.
* Unexpected behavior of url.redirect / url.rewrite config options While this is not a security issue in lighttpd, the user might rely on the fact, that those options are suppoosed to be matched against the urldecoded version of the URL. Depending on the configuration, this would allow for unwanted access to certain resources (information disclosure or even manipulation of data) References: [1] [2] * Information disclosure w/ mod_userdir on case-insensitive file systems References: [3] [4] * User-controllable memory leak, possibly leading to a Denial of Service References: [5] [6]
(There has been another request for a CVE for this entry on oss-sec)
[1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt [2] http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch [3] http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt [4] http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch [5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt [6] http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch
-- Christian Hoffmann
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: CVE request: lighttpd issues Christian Hoffmann (Sep 30)
- Re: CVE request: lighttpd issues Christian Hoffmann (Sep 30)
- Re: Re: CVE request: lighttpd issues Steven M. Christey (Sep 30)
- Re: CVE request: lighttpd issues Christian Hoffmann (Sep 30)