Re: CVE request: lighttpd issues

[Christian Hoffmann <hoffie () gentoo org>]

Sorry for the spam, I fail..

On 2008-09-30 16:55, Christian Hoffmann wrote:
> We still need CVEs for these three issues.
Wrong, only two are remaining, see below.

> >   * Unexpected behavior of url.redirect / url.rewrite config options
> >
> >     While this is not a security issue in lighttpd, the user might
> >     rely on the fact, that those options are suppoosed to be matched
> >     against the urldecoded version of the URL. Depending on the
> >     configuration, this would allow for unwanted access to certain
> >     resources (information disclosure or even manipulation of data)
This one.

> >   * Information disclosure w/ mod_userdir on case-insensitive file
> >     systems
And this one.

> >   * User-controllable memory leak, possibly leading to a Denial of
> >     Service
This has been assigned CVE-2008-4298 already.


-- 
Christian Hoffmann

Attachment: signature.asc
Description: OpenPGP digital signature