Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From matthias@xxxxxxxxxxxx 2006-07-03 13:03 EST ------- I've just had another look at these htpasswd.c files, and the one from apache 2.x would add a requirement on apr, and the one from apache 1.3.x would add a build requirement on apache-devel and possibly a runtime requirement on apache too! Not to mention the license, which might change the entire package's license since thttpd is BSD licensed, whereas Apache has its own (would have to look into the details, though). I really don't know if/when we can expect a new version of thttpd, and the developer has apparently already acknowledged the issue and possibly worked on it. My current choice would be between : - Not doing anything, since by default no one should be affected... but if someone runs htpasswd from their web server, they might be. - Removing the htpasswd utility from the thttpd package for now. And let people who needs to generate htpasswds use an online version of the binary from an apache httpd installation. Any preference? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
