Comment 1 Alex Legler (RETIRED) 2010-08-10 15:20:20 UTC

CVE-2010-2320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2320):
  bozotic HTTP server (aka bozohttpd) before 20100621 allows remote
  attackers to list the contents of home directories, and determine the
  existence of user accounts, via multiple requests for URIs beginning
  with /~ sequences.

Comment 2 Michele Noberasco (RETIRED) 2010-09-03 15:17:11 UTC

Unaffected version of bozohttpd has just been added to the tree. As soon as it gets stabilized we can hard mask the only affected version remaining.

Comment 3 Alex Legler (RETIRED) 2010-09-03 15:24:48 UTC

(In reply to comment #2)
> Unaffected version of bozohttpd has just been added to the tree. As soon as it
> gets stabilized we can hard mask the only affected version remaining.
> 

Unless you have a very good reason why it should stay, it should be removed.

Comment 4 Alex Legler (RETIRED) 2010-09-03 15:24:55 UTC

Arches, please test and mark stable:
=www-servers/bozohttpd-20100621
Target keywords : "x86"

Comment 5 Michele Noberasco (RETIRED) 2010-09-03 15:29:24 UTC

(In reply to comment #3)
> Unless you have a very good reason why it should stay, it should be removed.

Uh, well, yes, of course it should be removed ;-)

Comment 6 Paweł Hajdan, Jr. (RETIRED) 2010-09-04 01:47:03 UTC

x86 stable

Comment 7 Michele Noberasco (RETIRED) 2010-09-06 06:53:12 UTC

Wiped out affected version.

Comment 8 Alex Legler (RETIRED) 2010-09-06 08:18:27 UTC

(In reply to comment #7)
> Wiped out affected version.
> 

Please don't close bugs assigned to security@.

GLSA vote: NO

Comment 9 Michele Noberasco (RETIRED) 2010-09-06 12:33:15 UTC

(In reply to comment #8)
> Please don't close bugs assigned to security@.
I have got a lot to learn, it seems :-)

Comment 10 Stefan Behte (RETIRED) 2010-09-29 21:17:32 UTC

Vote: NO, closing noglsa, feel free to reopen if you thing otherwise.