Debian 3.0: DSA 392-1 Critical: Webfs Buffer Overflow and Access Issues
debian
September 29, 2003
Multiple vulnerabilities including unauthorized access and buffer overflow have been fixed.
Topics Covered
Summary
Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP
server for static content.
CAN-2003-0832 - When virtual hosting is enabled, a remote client
could specify ".." as the hostname in a request, allowing retrieval
of directory listings or files above the document root.
CAN-2003-0833 - A long pathname could overflow a buffer allocated on
the stack, allowing execution of arbitrary code. In order to exploit
this vulnerability, it would be necessary to be able to create
directories on the server in a location which could be accessed by
the web server. In conjunction with CAN-2003-0832, this could be a
world-writable directory such as /var/tmp.
For the current stable distribution (woody) these problems have been fixed
in version 1.17.2.
For the unstable distribution (sid) these problems have been fixed in
version 1.20.
We recommend that you update your webfs package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
wi...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: webfs
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!