On Mon, Oct 30, 2006 at 10:56:28PM +0100, Marco d'Itri wrote:
By creating a /tmp/start_thttpd symlink a local attacker will be able to
create/touch any file as root.
Thanks for the report. Once I get a CVE identifier allocated I'll
handle an update for Sarge.
Daniel if you have a
Daniel
Please find attached the patch I'm going to use for the security
update.
Could you please apply it, or a comparable patch to the version
in unstable and let us know which version will fix the problem?
Steve
--
# The Debian Security Audit Project.
Steve Kemp wrote:
Daniel
Please find attached the patch I'm going to use for the security
update.
Thanks.
Could you please apply it, or a comparable patch to the version
in unstable and let us know which version will fix the problem?
I'll apply your patch, and upload in about 10
Package: thttpd
Severity: grave
Tags: security
Insecure use of /tmp in /etc/logrotate.d/thttpd:
if pidof thttpd 21 /dev/null; then
touch /tmp/start_thttpd
fi
By creating a /tmp/start_thttpd symlink a local attacker will be able to
create/touch any file as root.
--
4 matches
Mail list logo
