oss-sec mailing list archives
Re: CVE request: sthttpd remote heap buffer overflow
From: Andrej Nemec <anemec () redhat com>
Date: Fri, 16 Jun 2017 08:29:38 +0200
Hello Alexandre, Unfortunately, CVE assignments are not done through this list anymore. You need to visit [1] and request the CVE by filing out the form. Could you please look at it and let the list know about the assigned CVE? Thanks! [1] https://cveform.mitre.org/ Best Regards, -- Andrej Nemec, Red Hat Product Security 3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA On 06/15/2017 11:33 PM, Alexandre Rebert wrote:
Hello, sthttpd [1], is a fork of thttpd, a small, fast, multiplexing webserver. Our fuzzing tools recently found a heap buffer overflow in the request parsing code that can be triggered remotely. The patch was recently fixed [2], and the bug was introduced in [3]. It seems that it's also affecting thttpd 2.25b present in OpenSUSE [4]. Let us know if you need more information. Thanks Alex from ForAllSecure [1] https://github.com/blueness/sthttpd [2] https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660 [3] https://github.com/blueness/sthttpd/commit/aa3f36c0bf2aef1ffb17f5188ccf5e8afc13d3dc [4] https://build.opensuse.org/package/view_file/server:http/thttpd/thttpd-2.25b-strcpy.patch?expand=1
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: sthttpd remote heap buffer overflow Alexandre Rebert (Jun 15)
- Re: CVE request: sthttpd remote heap buffer overflow Andrej Nemec (Jun 15)
- Re: CVE request: sthttpd remote heap buffer overflow Thomas Deutschmann (Jun 29)
- Re: CVE request: sthttpd remote heap buffer overflow Andrej Nemec (Jun 15)