On Sat, Aug 24, 2013 at 7:41 AM, Anssi Johansson <[email protected]> wrote:
> Hi, may I please direct some provenpackager's attention to > https://bugzilla.redhat.com/**show_bug.cgi?id=878915<https://bugzilla.redhat.com/show_bug.cgi?id=878915>-- > lighttpd: Denial of Service via malformed Connection headers > (CVE-2012-5533) > > The bug was filed in November 2012, or approximately nine months ago. EPEL > still ships a vulnerable version 1.4.31 for both EL5 and EL6. I think it'd > be high time to release a fixed version, especially as exploiting the > vulnerability is rather trivial: > > echo -ne "GET / HTTP/1.1\r\nHost: victim.com\r\nConnection: > TE,,Keep-Alive\r\n\r\n" | nc victim.com 80 > > Everything that's needed is included in the bug report (as far as I can > tell). It'd only need someone to package the new version and push it > through EPEL's buildsystem. > I have started work on this and will get it out ASAP. -J > ______________________________**_________________ > epel-devel mailing list > epel-devel@lists.**fedoraproject.org <[email protected]> > https://admin.fedoraproject.**org/mailman/listinfo/epel-**devel<https://admin.fedoraproject.org/mailman/listinfo/epel-devel> > -- http://cecinestpasunefromage.wordpress.com/ ------------------------------------------------ in your fear, seek only peace in your fear, seek only love -d. bowie
_______________________________________________ epel-devel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/epel-devel
