---------- Forwarded message ----------
From: Jon Ciesla <limburgher@gmail.com>
Date: Mon, Aug 26, 2013 at 8:09 AM
Subject: Re: EPEL Lighttpd vulnerability still unfixed after 9 months
To: EPEL Development List <epel-devel@lists.fedoraproject.org>





On Sat, Aug 24, 2013 at 7:41 AM, Anssi Johansson <epel@miuku.net> wrote:
Hi, may I please direct some provenpackager's attention to https://bugzilla.redhat.com/show_bug.cgi?id=878915 -- lighttpd: Denial of Service via malformed Connection headers (CVE-2012-5533)

The bug was filed in November 2012, or approximately nine months ago. EPEL still ships a vulnerable version 1.4.31 for both EL5 and EL6. I think it'd be high time to release a fixed version, especially as exploiting the vulnerability is rather trivial:

echo -ne "GET / HTTP/1.1\r\nHost: victim.com\r\nConnection: TE,,Keep-Alive\r\n\r\n" | nc victim.com 80

Everything that's needed is included in the bug report (as far as I can tell). It'd only need someone to package the new version and push it through EPEL's buildsystem.

I have started work on this and will get it out ASAP.

-J
 
_______________________________________________
epel-devel mailing list
epel-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel



--
http://cecinestpasunefromage.wordpress.com/
------------------------------------------------
in your fear, seek only peace
in your fear, seek only love

-d. bowie



--
http://cecinestpasunefromage.wordpress.com/
------------------------------------------------
in your fear, seek only peace
in your fear, seek only love

-d. bowie