From ${URL} : sthttpd [1], is a fork of thttpd, a small, fast, multiplexing webserver. Our fuzzing tools recently found a heap buffer overflow in the request parsing code that can be triggered remotely. The patch was recently fixed [2], and the bug was introduced in [3]. It seems that it's also affecting thttpd 2.25b present in OpenSUSE [4]. Let us know if you need more information. Thanks Alex from ForAllSecure [1] https://github.com/blueness/sthttpd [2] https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660 [3] https://github.com/blueness/sthttpd/commit/aa3f36c0bf2aef1ffb17f5188ccf5e8afc13d3dc [4] https://build.opensuse.org/package/view_file/server:http/thttpd/thttpd-2.25b-strcpy.patch?expand=1 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
@ Arches, please test and mark stable: =www-servers/thttpd-2.27.1
amd64 stable
x86 stable
arm stable
sparc stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Downgraded to B3. No PoC for ACE/RCE. GLSA Vote: No @maintainer, please cleanup.
(In reply to Aaron Bauman from comment #8) > Downgraded to B3. No PoC for ACE/RCE. > > GLSA Vote: No > > @maintainer, please cleanup. clean up done
(In reply to Anthony Basile from comment #9) > (In reply to Aaron Bauman from comment #8) > > Downgraded to B3. No PoC for ACE/RCE. > > > > GLSA Vote: No > > > > @maintainer, please cleanup. > > clean up done Thanks!
