Debian Security Advisory
boa -- exposes contents of local files
- Date Reported:
- 09 Oct 2000
- Affected Packages:
- boa
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0920.
- More information:
-
In versions of boa before 0.94.8.3, it is possible to access files outside
of the server's document root by the use of properly constructed URL
requests.
This problem is fixed in version 0.94.8.3-1, uploaded to Debian's unstable distribution on October 3, 2000. Fixed packages are also available in proposed-updates and will be included in the next revision of Debian/2.2 (potato).
Debian GNU/Linux 2.1 (slink) contains Boa version 0.93.15. This version is no longer supported; we recommend that slink users upgrade to potato, or recompile the current Boa packages on their slink systems.
- Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/potato/updates/main/source/boa_0.94.8.3-1.dsc
- http://security.debian.org/dists/potato/updates/main/source/boa_0.94.8.3-1.tar.gz
- http://security.debian.org/dists/potato/updates/main/source/boa_0.94.8.3-1.tar.gz
- Alpha:
- http://security.debian.org/dists/potato/updates/main/binary-alpha/boa_0.94.8.3-1_alpha.deb
- Intel ia32:
- http://security.debian.org/dists/potato/updates/main/binary-i386/boa_0.94.8.3-1_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/potato/updates/main/binary-m68k/boa_0.94.8.3-1_m68k.deb
- PowerPC:
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/boa_0.94.8.3-1_powerpc.deb
- Sun Sparc:
- http://security.debian.org/dists/potato/updates/main/binary-sparc/boa_0.94.8.3-1_sparc.deb