[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 490-1] bozohttpd security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : bozohttpd
Version        : 20111118-1+deb7u1
CVE ID         : CVE-2014-5015 CVE-2015-8212
Debian Bug     : 755197

Two security vulnerabilities have been discovered in bozohttpd, a small
HTTP server.

CVE-2014-5015

    Bozotic HTTP server (aka bozohttpd) before 201407081 truncates
    paths when checking .htpasswd restrictions, which allows remote
    attackers to bypass the HTTP authentication scheme and access
    restrictions via a long path.

CVE-2015-8212

    A flaw in CGI suffix handler support was found, if the -C option
    has been used to setup a CGI handler, that could result in remote
    code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
20111118-1+deb7u1.

We recommend that you upgrade your bozohttpd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXRoPUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HklP8P/idquqhTwaNB3WKsLIgOm+z6
OgrAFx2CZ7LsP44Rf94C5hJNUxRmmfTQkFIYs1YUR1pjYbvhc5q9/8Hmp6u1MibG
U9nTC3urTfOTTOZSNTggMIwC32nYyob+/xNpiw6Qqf7x4h1tcWvZo9ppwrPFGNqK
yDfWGJVkuY3UpCvOJKd5n6+YmGNHOthASPL+ohG1wmXioOS1WPFLtVuINwKJIiJi
fRCAm/baW844qn4N5O5cNjDiPxyC0Wg2ysK5FHB5/t1PdVE0ZdMtTHP0gjz3JnP8
bLqv3xHyzyAi7CvfKKlikGiRV+ktYXpdCr17JKJ7RqCt6MQrj6SQppT73biYkfo3
sVqYypBbPyPCLQfrXzmMiGXHqUvd5qU9Ylq6ceJKbuVqgbcNV+rxS63wB9ok6B7D
pSFD60qc4V6jqytYznRAhCe+cxLfFsOp720SD4euc0ENyYp/VW1NejMbWQ9Sqjwd
zOgs9NQmJ+Fr4nDz/8vywHPbk9mh71lqVpfmCB4tPpYW6eqKAW0mBntLYCEbMlxi
7yf5jU9EXr/JcptQqBJ0Cm9TpeI1toBX8ugGTAF+khc11GcdsmcibhSm3IDWYdR/
Fz6yT2/YZWwBOAffwyhKUeADDR/ugNwz3xZTNrzEOBq8rlslcvvd6zYx9T5micCA
g7TBYp99YvC38jyMoOTq
=je1y
-----END PGP SIGNATURE-----


Reply to: