Bug 150748 - www-servers/shttpd - buffer overflow and rce (CVE-2006-5216)
|
Bug#:
150748
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: carlo@gentoo.org
|
|
Component: Auditing
|
|
|
URL:
http://www.milw0rm.com/exploits/2482
|
|
Summary: www-servers/shttpd - buffer overflow and rce (CVE-2006-5216)
|
|
Keywords:
|
|
Status Whiteboard: ~1 [noglsa]
|
|
Opened: 2006-10-10 07:41 0000
|
The POCĀ¹ is against 1.34 tested on WinXP. We have only version ~ 1.25 in the
tree. I don't know, if it is affected, too. Either replacing it with 1.35 or
inviting treecleaners, if no one really cares for the package should suffice.
[1] http://www.milw0rm.com/exploits/2482
www-servers, any interest in keeping this? if so, pls verify/bump
i've put minimal (ie. cp) effort into creating a bump ebuild, but failed...
IMHO this can be punted. www-servers/fnord is an alternative.
thanks
since this is not marked stable on any arch, pls feel free to mask->remove it
i agree for masking/removing it if noone can resolve that bug.
I'll try to check if our version is really vulnerable during this week.
Sorry for the delay in replying.
I've bumped this package up to 1.35. That was released back in April, long
before the exploit was posted. I can't tell whether this version is also
vulnerable or not at the moment.
Anyone in the security team fancy auditing it?
Best regards,
Stu
Thanks Stuart. I'll try to have a look on this
finally remove treacleaner from Cc since Stuart has taken this package :)
i couldn't determine if 1.25 was affected. That's not a problem since 1.35 is
out after all.
I close that bug, as usual feel free to reopen if you disagree
