Debian Bug report logs - #590298
bozohttpd: CVE-2010-2320,CVE-2010-2195 multiple security issues

version graph

Package: bozohttpd; Maintainer for bozohttpd is Mattias Nordstrom <>; Source for bozohttpd is src:bozohttpd.

Reported by: Nico Golde <>

Date: Sun, 25 Jul 2010 17:21:02 UTC

Severity: grave

Tags: security

Found in version bozohttpd/20090522-2

Fixed in version bozohttpd/20100621-1

Done: Mattias Nordstrom <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Mattias Nordstrom <>:
Bug#590298; Package bozohttpd. (Sun, 25 Jul 2010 17:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <>:
New Bug report received and forwarded. Copy sent to Mattias Nordstrom <>. (Sun, 25 Jul 2010 17:21:05 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Nico Golde <>
Subject: bozohttpd: CVE-2010-2320,CVE-2010-2195 multiple security issues
Date: Sun, 25 Jul 2010 19:22:18 +0200
[Message part 1 (text/plain, inline)]
Package: bozohttpd
Version: 20090522-2
Severity: grave
Tags: security

the following CVE (Common Vulnerabilities & Exposures) ids were
published for bozohttpd.

From the original reporter:
| "Bozohttpd is started from inetd with a configuration line
| in /etc/inetd.conf like this:
| www      stream tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/bozohttpd /var/www -X -H -S foobar -c /usr/lib/cgi-bin -U www-data -u
| There is a ~user1/public_html and there are other users on the system
| but without a public_html
| 1) Go to "http://localhost/~user1/"
|     I get the index.html from user1/public_html as expected
| 2) Go to "http://localhost/~user2/" (who don't have a public_html dir)
|    I get a
| "403 Forbidden /~user2/: Access to this item has been denied", as expected
| 3) Go to "http://localhost/~user2/" again (reload the page)
|   I don't get the error above, but just the directory index of ~user2
| (/home/user2).
| If I reload the page I get the result of 2) and 3) swapping around. 3)
| Shouldn't happen, as there is no public_html there. And anyone can:
| a) Probe for user names in the system (dir is there or not)
| b) Look at least the name of the files of some user.

The latest upstream version fixes both problems

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:


Nico Golde - - - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Mattias Nordstrom <>:
You have taken responsibility. (Mon, 26 Jul 2010 16:03:09 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <>:
Bug acknowledged by developer. (Mon, 26 Jul 2010 16:03:09 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Mattias Nordstrom <>
Subject: Bug#590298: fixed in bozohttpd 20100621-1
Date: Mon, 26 Jul 2010 16:02:18 +0000
Source: bozohttpd
Source-Version: 20100621-1

We believe that the bug you reported is fixed in the latest version of
bozohttpd, which is due to be installed in the Debian FTP archive:

  to main/b/bozohttpd/bozohttpd_20100621-1.diff.gz
  to main/b/bozohttpd/bozohttpd_20100621-1.dsc
  to main/b/bozohttpd/bozohttpd_20100621-1_i386.deb
  to main/b/bozohttpd/bozohttpd_20100621.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Mattias Nordstrom <> (supplier of updated bozohttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Mon, 26 Jul 2010 18:17:35 +0300
Source: bozohttpd
Binary: bozohttpd
Architecture: source i386
Version: 20100621-1
Distribution: unstable
Urgency: low
Maintainer: Mattias Nordstrom <>
Changed-By: Mattias Nordstrom <>
 bozohttpd  - Bozotic HTTP server
Closes: 590298
 bozohttpd (20100621-1) unstable; urgency=low
   * New upstream release, fixes CVE-2010-2320 , CVE-2010-2195 (closes: #590298)
   * Updated to Debian Policy v3.9.1.0. No changes needed.
 64ab8e74576b8c8dc1f33b98291594783ed2a2c4 1011 bozohttpd_20100621-1.dsc
 06b892e703fe26b6fc7ee0941d15d555a9d2efcb 56759 bozohttpd_20100621.orig.tar.gz
 62c0e6cf8eba31fe579c8835efdcbd1bc7ee6edd 4383 bozohttpd_20100621-1.diff.gz
 1418f2cd533379b4fe258634239842ca5a6a6d74 39634 bozohttpd_20100621-1_i386.deb
 41eff5c4c500d02d6ea750b9dc6492010155a76c4629987fc108c434b779c328 1011 bozohttpd_20100621-1.dsc
 fd65e7c5da2cbc1f5d1ac8ccb6c4d27f0b6c520270f19c527c223dc5f46b39e8 56759 bozohttpd_20100621.orig.tar.gz
 aee11d2ec71dc0d908c57dbe6b51c320d6056abf9483d14fee46d2ac65d523c4 4383 bozohttpd_20100621-1.diff.gz
 03c9a7f8c55fb37208c6bbb1bd111c8e35c3ae2bcce057622aa3f94f3aab3542 39634 bozohttpd_20100621-1_i386.deb
 17c1b0a3de0db75d0e810b895af13ac9 1011 httpd extra bozohttpd_20100621-1.dsc
 58cf3245c1a8564aec5e07d6b5b7fa3e 56759 httpd extra bozohttpd_20100621.orig.tar.gz
 57370afef2db1790972c0e5ba2d2344e 4383 httpd extra bozohttpd_20100621-1.diff.gz
 ba259c7341c85775ba41c0b5d6b5f16f 39634 httpd extra bozohttpd_20100621-1_i386.deb

Version: GnuPG v1.4.10 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Fri, 03 Sep 2010 07:42:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Thu Apr 24 04:38:48 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.