---

Home Security

SuSE Security Advisory: thttpd

By

Date: 17 Nov 1999 08:28:15 +0100
From: “Thomas Biege” <<a
href=”mailto:thomas@suse.de”>thomas@suse.de

SuSE Security Announcement – thttpd

Package: thttpd 1.90a – 2.04
Date: Tue Nov 16 19:44:14 CET 1999

Affected SuSE versions: 6.2 and 6.3
Vulnerability Type: remote compromise
SuSE default package: no
Other affected systems: all unix systems using the
thttpd-server

A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are
using this software on your SuSE Linux installation(s).

Other Linux distributions or operating systems might be affected
as well, please contact your vendor for information about this
issue.

Please note, that that we provide this information on an “as-is”
basis only. There is no warranty whatsoever and no liability for
any direct, indirect or incidental damage arising from this
information or the installation of the update package.

1. Problem Description

The thttpd web server doesn’t do proper bounds checking in the
date parsing function tdate_parse().

2. Impact

By overflowing a static buffer in tdate_parse() an attacker
could remotely execute commands on the thttpd host with the
permissions of thttpd.

3. Solution

Updated the package from our FTP server.

Please verify these md5 checksums of the updates before
installing:

160a166713f186a61b2111c45786e26a thttpd-2.04-31.i386.rpm
(6.2)
4eb85acb72a30873842257cd923f9332 thttpd-2.04-31.i386.rpm (6.3)

You can find updates on our ftp-Server:


ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/thttpd-2.04-31.i386.rpm


ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/thttpd-2.04-31.i386.rpm

or try the following web pages for a list of mirrors:
http://www.suse.de/ftp.html
http://www.suse.com/ftp_new.html

Our webpage for patches:
http://www.suse.de/de/support/download/updates/index.html

Our webpage for security announcements:
http://www.suse.de/de/support/security/index.html

If you want to report vulnerabilities, please contact
security@suse.de

SuSE has got two free security mailing list services to which
any interested party may subscribe:

suse-security@suse.com – moderated and for general/linux/SuSE
security discussions. All SuSE security announcements are send to
this list.

suse-security-announce@suse.com – SuSE’s announce-only mailing
list. Only SuSE’s security annoucements are sent to this list.

To subscribe to the list, send a message to: suse-security-subscribe@suse.com

To remove your address from the list, send a message to:
suse-security-unsubscribe@suse.com

Send mail to the following for info and FAQ for this list:
suse-security-info@suse.com
suse-security-faq@suse.com

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.