Debian DSA 396-1 Critical: thttpd Information Leak And Remote Execution
debian
October 29, 2003
An information leak and an arbitrary code execution vulnerability have been fixed.
Topics Covered
Summary
Several vulnerabilities have been discovered in thttpd, a tiny HTTP
server.
The Common Vulnerabilities and Exposures project identifies the
following vulnerabilities:
CAN-2002-1562: Information leak
Marcus Breiing discovered that if thttpd it is used for virtual
hosting, and an attacker supplies a specially crafted ``Host:'
header with a pathname instead of a hostname, thttpd will reveal
information about the host system. Hence, an attacker can browse
the entire disk.
CAN-2003-0899: Arbitrary code execution
Joel Soderberg and Christer Oberg discovered a remote overflow which
allows an attacker to partially overwrite the EBP register and
hencely execute arbitrary code.
For the stable distribution (woody) these problems have been fixed in
version 2.21b-11.2.
For the unstable distribution (sid) this problem has been fixed in
version 2.23beta1-2.3.
We recommend that you upgrade your thttpd package immediately.
Upgrade Instructions
- --------------------
wget url
will fetch the file f...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: thttpd
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!