[Bug 191095] multiple vulnerabilities in thttpds htpasswd utility
bugzilla at redhat.com
bugzilla at redhat.com
Mon Jul 3 17:11:36 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: multiple vulnerabilities in thttpds htpasswd utility
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095
------- Additional Comments From matthias at rpmforge.net 2006-07-03 13:03 EST -------
I've just had another look at these htpasswd.c files, and the one from apache
2.x would add a requirement on apr, and the one from apache 1.3.x would add a
build requirement on apache-devel and possibly a runtime requirement on apache
too! Not to mention the license, which might change the entire package's license
since thttpd is BSD licensed, whereas Apache has its own (would have to look
into the details, though).
I really don't know if/when we can expect a new version of thttpd, and the
developer has apparently already acknowledged the issue and possibly worked on it.
My current choice would be between :
- Not doing anything, since by default no one should be affected... but if
someone runs htpasswd from their web server, they might be.
- Removing the htpasswd utility from the thttpd package for now. And let people
who needs to generate htpasswds use an online version of the binary from an
apache httpd installation.
Any preference?
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the security
mailing list