EPEL Lighttpd vulnerability still unfixed after 9 months
Jon Ciesla
limburgher at gmail.com
Mon Aug 26 13:09:24 UTC 2013
On Sat, Aug 24, 2013 at 7:41 AM, Anssi Johansson <epel at miuku.net> wrote:
> Hi, may I please direct some provenpackager's attention to
> https://bugzilla.redhat.com/**show_bug.cgi?id=878915<https://bugzilla.redhat.com/show_bug.cgi?id=878915>-- lighttpd: Denial of Service via malformed Connection headers
> (CVE-2012-5533)
>
> The bug was filed in November 2012, or approximately nine months ago. EPEL
> still ships a vulnerable version 1.4.31 for both EL5 and EL6. I think it'd
> be high time to release a fixed version, especially as exploiting the
> vulnerability is rather trivial:
>
> echo -ne "GET / HTTP/1.1\r\nHost: victim.com\r\nConnection:
> TE,,Keep-Alive\r\n\r\n" | nc victim.com 80
>
> Everything that's needed is included in the bug report (as far as I can
> tell). It'd only need someone to package the new version and push it
> through EPEL's buildsystem.
>
I have started work on this and will get it out ASAP.
-J
> ______________________________**_________________
> epel-devel mailing list
> epel-devel at lists.**fedoraproject.org <epel-devel at lists.fedoraproject.org>
> https://admin.fedoraproject.**org/mailman/listinfo/epel-**devel<https://admin.fedoraproject.org/mailman/listinfo/epel-devel>
>
--
http://cecinestpasunefromage.wordpress.com/
------------------------------------------------
in your fear, seek only peace
in your fear, seek only love
-d. bowie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/epel-devel/attachments/20130826/6aaf0f0c/attachment.html>
More information about the epel-devel
mailing list