CVE-2014-5015

NameCVE-2014-5015
Descriptionbozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-490-1
Debian Bugs755197

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bozohttpdsourcewheezy20111118-1+deb7u1DLA-490-1
bozohttpdsource(unstable)(unfixed)755197

Notes

[squeeze] - bozohttpd <no-dsa> (Minor issue)
Fixed by: http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/bozohttpd.c.diff?r1=1.52&r2=1.53&only_with_tag=MAIN
Search for package or bug name: Reporting problems