Your message dated Mon, 26 Jul 2010 16:02:18 +0000
with message-id <e1odq8a-0007ie...@franck.debian.org>
and subject line Bug#590298: fixed in bozohttpd 20100621-1
has caused the Debian Bug report #590298,
regarding bozohttpd: CVE-2010-2320,CVE-2010-2195 multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
590298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590298
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bozohttpd
Version: 20090522-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for bozohttpd.
From the original reporter:
| "Bozohttpd is started from inetd with a configuration line
| in /etc/inetd.conf like this:
| www stream tcp nowait root /usr/sbin/tcpd /usr/sbin/bozohttpd
/var/www -X -H -S foobar -c /usr/lib/cgi-bin -U www-data -u
|
| There is a ~user1/public_html and there are other users on the system
| but without a public_html
|
| 1) Go to "http://localhost/~user1/";
| I get the index.html from user1/public_html as expected
| 2) Go to "http://localhost/~user2/"; (who don't have a public_html dir)
| I get a
| "403 Forbidden /~user2/: Access to this item has been denied", as expected
|
| 3) Go to "http://localhost/~user2/"; again (reload the page)
| I don't get the error above, but just the directory index of ~user2
| (/home/user2).
|
| If I reload the page I get the result of 2) and 3) swapping around. 3)
| Shouldn't happen, as there is no public_html there. And anyone can:
| a) Probe for user names in the system (dir is there or not)
| b) Look at least the name of the files of some user.
The latest upstream version fixes both problems
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2195
http://security-tracker.debian.org/tracker/CVE-2010-2195
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2320
http://security-tracker.debian.org/tracker/CVE-2010-2320
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgpVccuaQxJ6e.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: bozohttpd
Source-Version: 20100621-1
We believe that the bug you reported is fixed in the latest version of
bozohttpd, which is due to be installed in the Debian FTP archive:
bozohttpd_20100621-1.diff.gz
to main/b/bozohttpd/bozohttpd_20100621-1.diff.gz
bozohttpd_20100621-1.dsc
to main/b/bozohttpd/bozohttpd_20100621-1.dsc
bozohttpd_20100621-1_i386.deb
to main/b/bozohttpd/bozohttpd_20100621-1_i386.deb
bozohttpd_20100621.orig.tar.gz
to main/b/bozohttpd/bozohttpd_20100621.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattias Nordstrom <mnord...@debian.org> (supplier of updated bozohttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 26 Jul 2010 18:17:35 +0300
Source: bozohttpd
Binary: bozohttpd
Architecture: source i386
Version: 20100621-1
Distribution: unstable
Urgency: low
Maintainer: Mattias Nordstrom <mnord...@debian.org>
Changed-By: Mattias Nordstrom <mnord...@debian.org>
Description:
bozohttpd - Bozotic HTTP server
Closes: 590298
Changes:
bozohttpd (20100621-1) unstable; urgency=low
.
* New upstream release, fixes CVE-2010-2320 , CVE-2010-2195 (closes: #590298)
* Updated to Debian Policy v3.9.1.0. No changes needed.
Checksums-Sha1:
64ab8e74576b8c8dc1f33b98291594783ed2a2c4 1011 bozohttpd_20100621-1.dsc
06b892e703fe26b6fc7ee0941d15d555a9d2efcb 56759 bozohttpd_20100621.orig.tar.gz
62c0e6cf8eba31fe579c8835efdcbd1bc7ee6edd 4383 bozohttpd_20100621-1.diff.gz
1418f2cd533379b4fe258634239842ca5a6a6d74 39634 bozohttpd_20100621-1_i386.deb
Checksums-Sha256:
41eff5c4c500d02d6ea750b9dc6492010155a76c4629987fc108c434b779c328 1011
bozohttpd_20100621-1.dsc
fd65e7c5da2cbc1f5d1ac8ccb6c4d27f0b6c520270f19c527c223dc5f46b39e8 56759
bozohttpd_20100621.orig.tar.gz
aee11d2ec71dc0d908c57dbe6b51c320d6056abf9483d14fee46d2ac65d523c4 4383
bozohttpd_20100621-1.diff.gz
03c9a7f8c55fb37208c6bbb1bd111c8e35c3ae2bcce057622aa3f94f3aab3542 39634
bozohttpd_20100621-1_i386.deb
Files:
17c1b0a3de0db75d0e810b895af13ac9 1011 httpd extra bozohttpd_20100621-1.dsc
58cf3245c1a8564aec5e07d6b5b7fa3e 56759 httpd extra
bozohttpd_20100621.orig.tar.gz
57370afef2db1790972c0e5ba2d2344e 4383 httpd extra bozohttpd_20100621-1.diff.gz
ba259c7341c85775ba41c0b5d6b5f16f 39634 httpd extra
bozohttpd_20100621-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxNrvQACgkQwKTxHeBrP5fS0QCdF/5BEcZuDz9s2ExvrgDDBEVS
HaMAniQmkwfjrJrDTAltI92IuaPmCer/
=Xts0
-----END PGP SIGNATURE-----
--- End Message ---
