Joined: 12 May 2004
|Posted: Sat Apr 30, 2005 2:47 pm Post subject: [ GLSA 200504-29 ] Pound: Buffer overflow vulnerability
|Gentoo Linux Security Advisory
Title: Pound: Buffer overflow vulnerability (GLSA 200504-29)
Date: April 30, 2005
Updated: May 22, 2006
Pound is vulnerable to a buffer overflow that could lead to the remote execution of arbitrary code.
Pound is a reverse proxy, load balancer and HTTPS front-end.
Vulnerable: < 1.8.3
Unaffected: >= 1.8.3
Architectures: All supported architectures
Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound.
A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process (by default, Gentoo uses the "nobody" user to run the Pound daemon).
There is no known workaround at this time.
All Pound users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/pound-1.8.3"
Last edited by GLSA on Sat Aug 23, 2008 4:18 am; edited 4 times in total