1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
Candidate: CVE-2014-5015
PublicDate: 2014-07-24
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5015
https://marc.info/?l=oss-security&m=140572157701095&w=2
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
http://www.eterna.com.au/bozohttpd/
Description:
bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD,
truncates paths when checking .htpasswd restrictions, which allows remote
attackers to bypass the HTTP authentication scheme and access restrictions
via a long path.
Ubuntu-Description:
Notes:
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755197
Priority: medium
Discovered-by: Mateusz Kocielski
Assigned-to:
Patches_bozohttpd:
upstream_bozohttpd: released (20140708)
lucid_bozohttpd: ignored (reached end-of-life)
precise_bozohttpd: ignored (reached end-of-life)
precise/esm_bozohttpd: DNE (precise was needed)
trusty_bozohttpd: released (20111118-1+deb7u1build0.14.04.1)
utopic_bozohttpd: ignored (reached end-of-life)
vivid_bozohttpd: DNE
vivid/stable-phone-overlay_bozohttpd: DNE
vivid/ubuntu-core_bozohttpd: DNE
wily_bozohttpd: DNE
xenial_bozohttpd: DNE
yakkety_bozohttpd: DNE
zesty_bozohttpd: DNE
devel_bozohttpd: DNE
|