Debian Bug report logs - #590298
bozohttpd: CVE-2010-2320,CVE-2010-2195 multiple security issues

version graph

Package: bozohttpd; Maintainer for bozohttpd is Mattias Nordstrom <mnordstr@debian.org>; Source for bozohttpd is src:bozohttpd.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 25 Jul 2010 17:21:02 UTC

Severity: grave

Tags: security

Found in version bozohttpd/20090522-2

Fixed in version bozohttpd/20100621-1

Done: Mattias Nordstrom <mnordstr@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mattias Nordstrom <mnordstr@debian.org>:
Bug#590298; Package bozohttpd. (Sun, 25 Jul 2010 17:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Mattias Nordstrom <mnordstr@debian.org>. (Sun, 25 Jul 2010 17:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: bozohttpd: CVE-2010-2320,CVE-2010-2195 multiple security issues
Date: Sun, 25 Jul 2010 19:22:18 +0200
[Message part 1 (text/plain, inline)]
Package: bozohttpd
Version: 20090522-2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for bozohttpd.

From the original reporter:
| "Bozohttpd is started from inetd with a configuration line
| in /etc/inetd.conf like this:
| www      stream tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/bozohttpd /var/www -X -H -S foobar -c /usr/lib/cgi-bin -U www-data -u
| 
| There is a ~user1/public_html and there are other users on the system
| but without a public_html
| 
| 1) Go to "http://localhost/~user1/"
|     I get the index.html from user1/public_html as expected
| 2) Go to "http://localhost/~user2/" (who don't have a public_html dir)
|    I get a
| "403 Forbidden /~user2/: Access to this item has been denied", as expected
| 
| 3) Go to "http://localhost/~user2/" again (reload the page)
|   I don't get the error above, but just the directory index of ~user2
| (/home/user2).
| 
| If I reload the page I get the result of 2) and 3) swapping around. 3)
| Shouldn't happen, as there is no public_html there. And anyone can:
| a) Probe for user names in the system (dir is there or not)
| b) Look at least the name of the files of some user.

The latest upstream version fixes both problems

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2195
    http://security-tracker.debian.org/tracker/CVE-2010-2195
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2320
    http://security-tracker.debian.org/tracker/CVE-2010-2320

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Mattias Nordstrom <mnordstr@debian.org>:
You have taken responsibility. (Mon, 26 Jul 2010 16:03:09 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Mon, 26 Jul 2010 16:03:09 GMT) Full text and rfc822 format available.

Message #10 received at 590298-close@bugs.debian.org (full text, mbox):

From: Mattias Nordstrom <mnordstr@debian.org>
To: 590298-close@bugs.debian.org
Subject: Bug#590298: fixed in bozohttpd 20100621-1
Date: Mon, 26 Jul 2010 16:02:18 +0000
Source: bozohttpd
Source-Version: 20100621-1

We believe that the bug you reported is fixed in the latest version of
bozohttpd, which is due to be installed in the Debian FTP archive:

bozohttpd_20100621-1.diff.gz
  to main/b/bozohttpd/bozohttpd_20100621-1.diff.gz
bozohttpd_20100621-1.dsc
  to main/b/bozohttpd/bozohttpd_20100621-1.dsc
bozohttpd_20100621-1_i386.deb
  to main/b/bozohttpd/bozohttpd_20100621-1_i386.deb
bozohttpd_20100621.orig.tar.gz
  to main/b/bozohttpd/bozohttpd_20100621.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 590298@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattias Nordstrom <mnordstr@debian.org> (supplier of updated bozohttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 26 Jul 2010 18:17:35 +0300
Source: bozohttpd
Binary: bozohttpd
Architecture: source i386
Version: 20100621-1
Distribution: unstable
Urgency: low
Maintainer: Mattias Nordstrom <mnordstr@debian.org>
Changed-By: Mattias Nordstrom <mnordstr@debian.org>
Description: 
 bozohttpd  - Bozotic HTTP server
Closes: 590298
Changes: 
 bozohttpd (20100621-1) unstable; urgency=low
 .
   * New upstream release, fixes CVE-2010-2320 , CVE-2010-2195 (closes: #590298)
   * Updated to Debian Policy v3.9.1.0. No changes needed.
Checksums-Sha1: 
 64ab8e74576b8c8dc1f33b98291594783ed2a2c4 1011 bozohttpd_20100621-1.dsc
 06b892e703fe26b6fc7ee0941d15d555a9d2efcb 56759 bozohttpd_20100621.orig.tar.gz
 62c0e6cf8eba31fe579c8835efdcbd1bc7ee6edd 4383 bozohttpd_20100621-1.diff.gz
 1418f2cd533379b4fe258634239842ca5a6a6d74 39634 bozohttpd_20100621-1_i386.deb
Checksums-Sha256: 
 41eff5c4c500d02d6ea750b9dc6492010155a76c4629987fc108c434b779c328 1011 bozohttpd_20100621-1.dsc
 fd65e7c5da2cbc1f5d1ac8ccb6c4d27f0b6c520270f19c527c223dc5f46b39e8 56759 bozohttpd_20100621.orig.tar.gz
 aee11d2ec71dc0d908c57dbe6b51c320d6056abf9483d14fee46d2ac65d523c4 4383 bozohttpd_20100621-1.diff.gz
 03c9a7f8c55fb37208c6bbb1bd111c8e35c3ae2bcce057622aa3f94f3aab3542 39634 bozohttpd_20100621-1_i386.deb
Files: 
 17c1b0a3de0db75d0e810b895af13ac9 1011 httpd extra bozohttpd_20100621-1.dsc
 58cf3245c1a8564aec5e07d6b5b7fa3e 56759 httpd extra bozohttpd_20100621.orig.tar.gz
 57370afef2db1790972c0e5ba2d2344e 4383 httpd extra bozohttpd_20100621-1.diff.gz
 ba259c7341c85775ba41c0b5d6b5f16f 39634 httpd extra bozohttpd_20100621-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxNrvQACgkQwKTxHeBrP5fS0QCdF/5BEcZuDz9s2ExvrgDDBEVS
HaMAniQmkwfjrJrDTAltI92IuaPmCer/
=Xts0
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 03 Sep 2010 07:42:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 04:38:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.