150748 2006-10-10 07:41 0000 www-servers/shttpd - buffer overflow and rce (CVE-2006-5216) 2006-10-30 03:12:54 0000 1 1 1 Unclassified Gentoo Security Auditing unspecified All Linux RESOLVED FIXED http://www.milw0rm.com/exploits/2482 ~1 [noglsa] P2 normal --- 1 carlo@gentoo.org security@gentoo.org www-servers@gentoo.org carlo@gentoo.org 2006-10-10 07:41:07 0000 The POC carlo@gentoo.org 2006-10-10 07:41:07 0000 The POCĀ¹ is against 1.34 tested on WinXP. We have only version ~ 1.25 in the tree. I don't know, if it is affected, too. Either replacing it with 1.35 or inviting treecleaners, if no one really cares for the package should suffice. [1] http://www.milw0rm.com/exploits/2482 vorlon@gentoo.org 2006-10-11 06:44:52 0000 www-servers, any interest in keeping this? if so, pls verify/bump vorlon@gentoo.org 2006-10-19 06:09:13 0000 www-servers, pls comment bangert@gentoo.org 2006-10-22 08:54:16 0000 i've put minimal (ie. cp) effort into creating a bump ebuild, but failed... IMHO this can be punted. www-servers/fnord is an alternative. thanks vorlon@gentoo.org 2006-10-23 12:44:34 0000 since this is not marked stable on any arch, pls feel free to mask->remove it falco@gentoo.org 2006-10-23 13:13:08 0000 i agree for masking/removing it if noone can resolve that bug. I'll try to check if our version is really vulnerable during this week. stuart@gentoo.org 2006-10-24 00:38:02 0000 Sorry for the delay in replying. I've bumped this package up to 1.35. That was released back in April, long before the exploit was posted. I can't tell whether this version is also vulnerable or not at the moment. Anyone in the security team fancy auditing it? Best regards, Stu falco@gentoo.org 2006-10-24 01:09:04 0000 Thanks Stuart. I'll try to have a look on this falco@gentoo.org 2006-10-24 05:46:45 0000 finally remove treacleaner from Cc since Stuart has taken this package :) carlo@gentoo.org 2006-10-24 05:55:51 0000 The update to 1.35 should suffice. Forgot to provide the advisory url, sorry. http://secunia.com/advisories/22294/ falco@gentoo.org 2006-10-30 03:12:54 0000 i couldn't determine if 1.25 was affected. That's not a problem since 1.35 is out after all. I close that bug, as usual feel free to reopen if you disagree