1) Heap buffer overflow in CGI handler Patch: https://github.com/cherokee/webserver/commit/2d4ed5f277ba8d46aa988cdec3935a0650802f0d Bug: https://github.com/cherokee/webserver/issues/1225 2) XSS vulnerability in handler_error via cherokee_buffer_add_escape_html() Patch: https://github.com/cherokee/webserver/commit/4f4f85a348caa2c271c43260d20b9aef43701ffc Bug: https://github.com/cherokee/webserver/issues/1222 3) CVE-2006-1681 Description: "Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated." Patch: https://github.com/cherokee/webserver/commit/998c4fe5bd34b41b252a4baf7a899368f2a314ee Bug: https://github.com/cherokee/webserver/issues/1223 --- At least some of these seem to have been reproduced on the version in tree (last released version, 1.2.104).
* CVE-2019-20798 Description: "An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands." URL: https://github.com/cherokee/webserver/issues/1227 * CVE-2019-20799 Description: "In Cherokee through 1.2.104, multiple memory corruption errors may be used by a remote attacker to destabilize the work of a server." URLs: * https://github.com/cherokee/webserver/issues/1221 * https://github.com/cherokee/webserver/issues/1222 * https://github.com/cherokee/webserver/issues/1225 * https://github.com/cherokee/webserver/issues/1226 * https://logicaltrust.net/blog/2019/11/cherokee.html * CVE-2019-20800 Description: "In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers."
* CVE-2020-12845 Description: "Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest." https://github.com/cherokee/webserver/issues/1242
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d46fe7a85ed834c7605fe7616ab0a2465ed895c6 commit d46fe7a85ed834c7605fe7616ab0a2465ed895c6 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-09-09 10:17:29 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-09-09 10:18:08 +0000 package.mask: Last rite www-servers/cherokee Bug: https://bugs.gentoo.org/715204 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32b08650cb9978cfac955ab232858feea15e1a6b commit 32b08650cb9978cfac955ab232858feea15e1a6b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-10-09 07:20:53 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-10-09 07:21:04 +0000 www-servers/cherokee: Remove last-rited pkg Bug: https://bugs.gentoo.org/715204 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 8 - www-servers/cherokee/Manifest | 1 - www-servers/cherokee/cherokee-1.2.104-r2.ebuild | 197 --------------------- .../cherokee/files/cherokee-1.2.99-gentoo.patch | 38 ---- www-servers/cherokee/files/cherokee-confd-1.2.98 | 4 - www-servers/cherokee/files/cherokee-initd-1.2.99 | 67 ------- www-servers/cherokee/files/cherokee.logrotate-r1 | 10 -- www-servers/cherokee/files/cherokee.service | 10 -- www-servers/cherokee/metadata.xml | 15 -- 9 files changed, 350 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202012-09 at https://security.gentoo.org/glsa/202012-09 by GLSA coordinator Thomas Deutschmann (whissi).