Date: Thu, 15 Jun 2017 17:33:48 -0400 From: Alexandre Rebert <alex@...allsecure.com> To: oss-security@...ts.openwall.com Subject: CVE request: sthttpd remote heap buffer overflow Hello, sthttpd , is a fork of thttpd, a small, fast, multiplexing webserver. Our fuzzing tools recently found a heap buffer overflow in the request parsing code that can be triggered remotely. The patch was recently fixed , and the bug was introduced in . It seems that it's also affecting thttpd 2.25b present in OpenSUSE . Let us know if you need more information. Thanks Alex from ForAllSecure  https://github.com/blueness/sthttpd  https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660  https://github.com/blueness/sthttpd/commit/aa3f36c0bf2aef1ffb17f5188ccf5e8afc13d3dc  https://build.opensuse.org/package/view_file/server:http/thttpd/thttpd-2.25b-strcpy.patch?expand=1
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ