oss-sec mailing list archives
Re: CVE request: lighttpd issues
From: Christian Hoffmann <hoffie () gentoo org>
Date: Tue, 30 Sep 2008 17:03:09 +0200
Sorry for the spam, I fail.. On 2008-09-30 16:55, Christian Hoffmann wrote:
We still need CVEs for these three issues.
Wrong, only two are remaining, see below.
* Unexpected behavior of url.redirect / url.rewrite config options While this is not a security issue in lighttpd, the user might rely on the fact, that those options are suppoosed to be matched against the urldecoded version of the URL. Depending on the configuration, this would allow for unwanted access to certain resources (information disclosure or even manipulation of data)
This one.
* Information disclosure w/ mod_userdir on case-insensitive file systems
And this one.
* User-controllable memory leak, possibly leading to a Denial of Service
This has been assigned CVE-2008-4298 already. -- Christian Hoffmann
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: CVE request: lighttpd issues Christian Hoffmann (Sep 30)
- Re: CVE request: lighttpd issues Christian Hoffmann (Sep 30)
- Re: Re: CVE request: lighttpd issues Steven M. Christey (Sep 30)
- Re: CVE request: lighttpd issues Christian Hoffmann (Sep 30)