Summary: | <=net-analyzer/ntop-3.3.10: HTTP Authorization header DoS (CVE-2009-2732) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Rogers <crogers> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jer, mrness, netmon |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/archive/1/505862/30/0/threaded | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Chris Rogers
2009-08-18 19:36:56 UTC
CVE-2009-2732 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2732): The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an Authorization HTTP header that lacks a : (colon) character in the base64-decoded string. Emailed upstream for advice. No new version yet. Patch here (also in ntop SVN): http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=CVE-2009-2732.patch;att=1;bug=543312 Please provide an updated ebuild. That patch is applied in =net-analyzer/ntop-3.3.10-r2 Arches, please test and mark stable: =net-analyzer/ntop-3.3.10-r2 Target keywords : "amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" x86 stable ppc and ppc64 done Stable for HPPA. arm/ia64/s390/sh/sparc stable amd64 stable GLSA vote: NO. NO too, closing. |