Fwd: EPEL Lighttpd vulnerability still unfixed after 9 months
Christopher Meng
cickumqt at gmail.com
Sat Aug 24 13:26:39 UTC 2013
---------- Forwarded message ----------
From: Anssi Johansson
Date: Saturday, August 24, 2013
Subject: EPEL Lighttpd vulnerability still unfixed after 9 months
To: epel-devel at lists.fedoraproject.org
Hi, may I please direct some provenpackager's attention to
https://bugzilla.redhat.com/show_bug.cgi?id=878915 -- lighttpd: Denial of
Service via malformed Connection headers (CVE-2012-5533)
The bug was filed in November 2012, or approximately nine months ago. EPEL
still ships a vulnerable version 1.4.31 for both EL5 and EL6. I think it'd
be high time to release a fixed version, especially as exploiting the
vulnerability is rather trivial:
echo -ne "GET / HTTP/1.1\r\nHost: victim.com\r\nConnection:
TE,,Keep-Alive\r\n\r\n" | nc victim.com 80
Everything that's needed is included in the bug report (as far as I can
tell). It'd only need someone to package the new version and push it
through EPEL's buildsystem.
_______________________________________________
epel-devel mailing list
epel-devel at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel
--
*Yours sincerely,*
*Christopher Meng*
Always playing in Fedora Project
http://cicku.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130824/cd7281a8/attachment.html>
More information about the devel
mailing list