Bug 924857 - (CVE-2013-0348) CVE-2013-0348 thttpd: World-readable log file
CVE-2013-0348 thttpd: World-readable log file
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130222,reported=2...
: Security
Depends On: 924859 924858
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-22 12:17 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:02 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-03-22 12:17:36 EDT
Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, thttpd log file is world-readable. This could allow an unprivileged user to read the log file.

References:
[1] http://www.openwall.com/lists/oss-security/2013/02/22/18
[2] https://bugs.gentoo.org/show_bug.cgi?id=458896
[3] http://www.openwall.com/lists/oss-security/2013/02/23/7

Relevant (sthttpd) upstream patch:
[4] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=commit;h=d2e186dbd58d274a0dea9b59357edc8498b5388d
Comment 1 Jan Lieskovsky 2013-03-22 12:19:48 EDT
This issue affects the versions of the thttpd package, as shipped with Fedora release of 17, 18, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-03-22 12:20:56 EDT
Created thttpd tracking bugs for this issue

Affects: fedora-all [bug 924858]
Affects: epel-all [bug 924859]

Note You need to log in before you can comment on or make changes to this bug.