Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b89d6aea by Salvatore Bonaccorso at 2022-06-20T20:31:38+02:00
Adjust not-affected reason for CVE-2022-30780
lighttpd 1.4.53 not vulnerable does not explain here why the source is
not affected. While "Vulnerable code introduced later" is as well not
yet too specific, looking at the source the problematic code was
seemigly introduced when adding connection_read_header_more() which is
not yet present in the buster and stretch version. Pin pointing the
exact introducing commit would be even better though.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -8695,8 +8695,8 @@ CVE-2022-30781 (Gitea before 1.16.7 does not escape git
fetch remote. ...)
- gitea <removed>
CVE-2022-30780 (Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to
cause a den ...)
- lighttpd 1.4.59-1
- [buster] - lighttpd <not-affected> (lighttpd 1.4.53 not vulnerable)
- [stretch] - lighttpd <not-affected> (lighttpd 1.4.45 not vulnerable)
+ [buster] - lighttpd <not-affected> (Vulnerable code introduced later)
+ [stretch] - lighttpd <not-affected> (Vulnerable code introduced later)
NOTE: https://podalirius.net/en/cves/2022-30780/
NOTE:
https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service
NOTE: https://redmine.lighttpd.net/issues/3059
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b89d6aea3ae3c69f66982701ef94322aa7a6aed4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b89d6aea3ae3c69f66982701ef94322aa7a6aed4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
