Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jun 2017 08:29:38 +0200
From: Andrej Nemec <anemec@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: sthttpd remote heap buffer overflow

Hello Alexandre,

Unfortunately, CVE assignments are not done through this list anymore.
You need to visit [1] and request the CVE by filing out the form. Could
you please look at it and let the list know about the assigned CVE?

Thanks!

[1] https://cveform.mitre.org/

Best Regards,

-- 
Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA


On 06/15/2017 11:33 PM, Alexandre Rebert wrote:
> Hello,
>
> sthttpd [1], is a fork of thttpd, a small, fast, multiplexing webserver.
> Our fuzzing tools recently found a heap buffer overflow in the request
> parsing code that can be triggered remotely. The patch was recently fixed
> [2], and the bug was introduced in [3].  It seems that it's also affecting
> thttpd 2.25b present in OpenSUSE [4].
>
> Let us know if you need more information.
>
> Thanks
> Alex from ForAllSecure
>
> [1] https://github.com/blueness/sthttpd
> [2]
> https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660
> [3]
> https://github.com/blueness/sthttpd/commit/aa3f36c0bf2aef1ffb17f5188ccf5e8afc13d3dc
> [4]
> https://build.opensuse.org/package/view_file/server:http/thttpd/thttpd-2.25b-strcpy.patch?expand=1
>




[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ