Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 518078 (CVE-2014-5015)

Summary: <www-servers/bozohttpd-20140708: basic http authentication bypass (CVE-2014-5015)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-07-25 08:58:54 UTC
CVE-2014-5015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5015):
  bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, 
  truncates paths when checking .htpasswd restrictions, which allows remote 
  attackers to bypass the HTTP authentication scheme and access restrictions 
  via a long path.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2014-11-27 16:51:24 UTC
+  27 Nov 2014; Michael Palimaka <kensington@gentoo.org>
+  +bozohttpd-20140708.ebuild:
+  Version bump wrt bug #518078, solving CVE-2014-5015.

Ready to stable, target KEYWORDS="x86".
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-12 09:43:36 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 3 Pacho Ramos gentoo-dev 2014-12-12 09:54:45 UTC
+  12 Dec 2014; Pacho Ramos <pacho@gentoo.org> -bozohttpd-20100621.ebuild,
+  -bozohttpd-20111118.ebuild:
+  Drop old
+
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 18:23:06 UTC
GLSA vote: no.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-18 18:25:05 UTC
GLSA Vote: No, closing noglsa