Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518078 (CVE-2014-5015) - <www-servers/bozohttpd-20140708: basic http authentication bypass (CVE-2014-5015)
Summary: <www-servers/bozohttpd-20140708: basic http authentication bypass (CVE-2014-5...
Status: RESOLVED FIXED
Alias: CVE-2014-5015
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-25 08:58 UTC by Agostino Sarubbo
Modified: 2015-03-18 18:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-25 08:58:54 UTC 
CVE-2014-5015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5015):
  bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, 
  truncates paths when checking .htpasswd restrictions, which allows remote 
  attackers to bypass the HTTP authentication scheme and access restrictions 
  via a long path.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2014-11-27 16:51:24 UTC 
+  27 Nov 2014; Michael Palimaka <kensington@gentoo.org>
+  +bozohttpd-20140708.ebuild:
+  Version bump wrt bug #518078, solving CVE-2014-5015.

Ready to stable, target KEYWORDS="x86".
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-12 09:43:36 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 3 Pacho Ramos gentoo-dev 2014-12-12 09:54:45 UTC 
+  12 Dec 2014; Pacho Ramos <pacho@gentoo.org> -bozohttpd-20100621.ebuild,
+  -bozohttpd-20111118.ebuild:
+  Drop old
+
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 18:23:06 UTC 
GLSA vote: no.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-18 18:25:05 UTC 
GLSA Vote: No, closing noglsa