[Bug 191095] multiple vulnerabilities in thttpds htpasswd utility

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: multiple vulnerabilities in thttpds htpasswd utility


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095





------- Additional Comments From matthias@xxxxxxxxxxxx  2006-07-03 13:03 EST -------
I've just had another look at these htpasswd.c files, and the one from apache
2.x would add a requirement on apr, and the one from apache 1.3.x would add a
build requirement on apache-devel and possibly a runtime requirement on apache
too! Not to mention the license, which might change the entire package's license
since thttpd is BSD licensed, whereas Apache has its own (would have to look
into the details, though).

I really don't know if/when we can expect a new version of thttpd, and the
developer has apparently already acknowledged the issue and possibly worked on it.

My current choice would be between :
- Not doing anything, since by default no one should be affected... but if
someone runs htpasswd from their web server, they might be.
- Removing the htpasswd utility from the thttpd package for now. And let people
who needs to generate htpasswds use an online version of the binary from an
apache httpd installation.

Any preference?

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux