[Secure-testing-commits] r12171 - data/CVE
Nico Golde
nion at alioth.debian.org
Fri Jun 19 20:02:24 UTC 2009
Author: nion
Date: 2009-06-19 20:02:20 +0000 (Fri, 19 Jun 2009)
New Revision: 12171
Modified:
data/CVE/list
Log:
adjusted impact of slowloris, actually i think this issue is fairly dangerous at least in standard configurations
unless servers start to reduce the timeout after a certain percent of used threads i think this is a real issue
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-06-19 19:28:04 UTC (rev 12170)
+++ data/CVE/list 2009-06-19 20:02:20 UTC (rev 12171)
@@ -6,11 +6,11 @@
[etch] - pcsc-lite <not-affected> (directory introduced in 1.5.0)
[lenny] - pcsc-lite <not-affected> (directory introduced in 1.5.0)
CVE-2009-XXXX ["slowloris" denial-of-service vulnerabilty in webservers]
- - apache2 <unfixed> (low; bug #533661)
- - apache <unfixed> (low; bug #533662)
- - squid <unfixed> (low; bug #533663)
- - squid3 <unfixed> (low; bug #533664)
- - dhttpd <unfixed> (low; bug #533665)
+ - apache2 <unfixed> (medium; bug #533661)
+ - apache <unfixed> (medium; bug #533662)
+ - squid <unfixed> (medium; bug #533663)
+ - squid3 <unfixed> (medium; bug #533664)
+ - dhttpd <unfixed> (medium; bug #533665)
- lighttpd <not-affected>
TODO: follow-up with maintainers (exploit site says these servers vulnerable, but i have not checked, asked maintainers to do so)
TODO: determine if any of the other webservers are affected
More information about the Secure-testing-commits
mailing list