Debian Security Advisory DSA 396-1 (thttpd)

The remote host is missing an update to thttpd announced via advisory DSA 396-1.

Several vulnerabilities have been discovered in thttpd, a tiny HTTP server. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2002-1562: Information leak Marcus Breiing discovered that if thttpd it is used for virtual hosting, and an attacker supplies a specially crafted ``Host:'' header with a pathname instead of a hostname, thttpd will reveal information about the host system. Hence, an attacker can browse the entire disk. CVE-2003-0899: Arbitrary code execution Joel Soderberg and Christer Oberg discovered a remote overflow which allows an attacker to partially overwrite the EBP register and hencely execute arbitrary code. For the stable distribution (woody) these problems have been fixed in version 2.21b-11.2. For the unstable distribution (sid) this problem has been fixed in version 2.23beta1-2.3. We recommend that you upgrade your thttpd package immediately.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20396-1