<br><br>---------- Forwarded message ----------<br>From: Anssi Johansson<br>Date: Saturday, August 24, 2013<br>Subject: EPEL Lighttpd vulnerability still unfixed after 9 months<br>To: <a href="mailto:epel-devel@lists.fedoraproject.org">epel-devel@lists.fedoraproject.org</a><br>
<br><br>Hi, may I please direct some provenpackager's attention to <a href="https://bugzilla.redhat.com/show_bug.cgi?id=878915">https://bugzilla.redhat.com/show_bug.cgi?id=878915</a> -- lighttpd: Denial of Service via malformed Connection headers (CVE-2012-5533)<br>
<br>The bug was filed in November 2012, or approximately nine months ago. EPEL still ships a vulnerable version 1.4.31 for both EL5 and EL6. I think it'd be high time to release a fixed version, especially as exploiting the vulnerability is rather trivial:<br>
<br>echo -ne "GET / HTTP/1.1\r\nHost: <a href="http://victim.com">victim.com</a>\r\nConnection: TE,,Keep-Alive\r\n\r\n" | nc <a href="http://victim.com">victim.com</a> 80<br><br>Everything that's needed is included in the bug report (as far as I can tell). It'd only need someone to package the new version and push it through EPEL's buildsystem.<br>
_______________________________________________<br>epel-devel mailing list<br><a href="mailto:epel-devel@lists.fedoraproject.org">epel-devel@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/epel-devel">https://admin.fedoraproject.org/mailman/listinfo/epel-devel</a><br>
<br><br><br>-- <br><div dir="ltr"><div style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></div><br><i>Yours sincerely,</i><br><i><b>Christopher Meng</b></i><div><span style="font-style:italic"><span style="font-style:normal"><br>
</span></span></div><div><span style="font-style:italic"><span style="font-style:normal">Always playing in Fedora Project</span></span></div><div><span style="font-style:italic"><span style="font-style:normal"><br></span></span><a href="http://cicku.me" target="_blank">http://cicku.me</a><br>
</div></div><br>