713218 – <www-servers/bozohttpd-20190228: Multiple vulnerabilities

Bug 713218 - <www-servers/bozohttpd-20190228: Multiple vulnerabilities

Summary: <www-servers/bozohttpd-20190228: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	http://www.eterna.com.au/bozohttpd/CH...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2020-03-18 14:54 UTC by Sam James
Modified:	2020-03-19 19:08 UTC (History)
CC List:	0 users

See Also:	https://github.com/gentoo/gentoo/pull/15003
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-18 14:54:57 UTC

1)
>changes in bozohttpd 20190228:
> extend timeout facility to ssl and stop servers hanging forever 
> if the client never sends anything.
> reported by Steffen in netbsd PR#50655.
> ...

Bug: https://mail-index.netbsd.org/netbsd-bugs/2016/01/14/msg044174.html

2)
>changes in bozohttpd 20181215:
> ...
> avoid possible null dereference when receiving a big request that timeout.
> reported by maya@netbsd.org, from leot@netbsd.org
> ...

Bug: https://gnats.netbsd.org/54080

3)
>changes in bozohttpd 20181121:
> ...
> fix a denial of service attack against header contents, 
> which is now bounded at 16KiB.  reported by JP
> ...

Comment 1 Larry the Git Cow gentoo-dev

2020-03-19 19:06:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=021051a989e23208ae5f7c0208d4ce65d8a87fdd

commit 021051a989e23208ae5f7c0208d4ce65d8a87fdd
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-19 19:06:33 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 19:06:44 +0000

    www-servers/bozohttpd: security cleanup (bug #713218)
    
    Bug: https://bugs.gentoo.org/713218
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/bozohttpd/Manifest                  |  1 -
 www-servers/bozohttpd/bozohttpd-20170201.ebuild | 37 -------------------------
 2 files changed, 38 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9786f102b326f186682829f7f6f6164681250dce

commit 9786f102b326f186682829f7f6f6164681250dce
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-18 16:14:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 19:06:42 +0000

    www-servers/bozohttpd: new snapshot (20190228), security bump
    
    Bug: https://bugs.gentoo.org/713218
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15003
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/bozohttpd/Manifest                  |  1 +
 www-servers/bozohttpd/bozohttpd-20190228.ebuild | 37 +++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-19 19:08:11 UTC

Package has no stable ebuild.

Repository is clean, all done!