Date: Tue, 30 Sep 2008 17:03:09 +0200 From: Christian Hoffmann <hoffie@...too.org> To: coley@...re.org CC: vendor-sec@....de, darix@...nsu.se, stbuehler@....de, oss-security@...ts.openwall.com Subject: Re: CVE request: lighttpd issues Sorry for the spam, I fail.. On 2008-09-30 16:55, Christian Hoffmann wrote: > We still need CVEs for these three issues. Wrong, only two are remaining, see below. >> * Unexpected behavior of url.redirect / url.rewrite config options >> >> While this is not a security issue in lighttpd, the user might >> rely on the fact, that those options are suppoosed to be matched >> against the urldecoded version of the URL. Depending on the >> configuration, this would allow for unwanted access to certain >> resources (information disclosure or even manipulation of data) This one. >> >> * Information disclosure w/ mod_userdir on case-insensitive file >> systems And this one. >> >> * User-controllable memory leak, possibly leading to a Denial of >> Service This has been assigned CVE-2008-4298 already. -- Christian Hoffmann Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.