Summary: | www-servers/mini_httpd arbitrary code execution (CVE-2009-4490) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | www-servers+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-02-06 15:29:07 UTC
Still vulnerable. Should we mask it? Well, this is the same issue as several other in-tree daemons have. e.g. varnish disputed the issue. It's not safe to cat a random file in a term, though one could be of the opinion the daemon should sanitize the logs. dropped GLSA request filed. This issue was resolved and addressed in GLSA 201206-27 at http://security.gentoo.org/glsa/glsa-201206-27.xml by GLSA coordinator Sean Amoss (ackle). |