Debian Security Advisory

boa -- exposes contents of local files

Date Reported:
09 Oct 2000
Affected Packages:
boa
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2000-0920.
More information:
In versions of boa before 0.94.8.3, it is possible to access files outside of the server's document root by the use of properly constructed URL requests.

This problem is fixed in version 0.94.8.3-1, uploaded to Debian's unstable distribution on October 3, 2000. Fixed packages are also available in proposed-updates and will be included in the next revision of Debian/2.2 (potato).

Debian GNU/Linux 2.1 (slink) contains Boa version 0.93.15. This version is no longer supported; we recommend that slink users upgrade to potato, or recompile the current Boa packages on their slink systems.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:
http://security.debian.org/dists/potato/updates/main/source/boa_0.94.8.3-1.dsc
http://security.debian.org/dists/potato/updates/main/source/boa_0.94.8.3-1.tar.gz
Alpha:
http://security.debian.org/dists/potato/updates/main/binary-alpha/boa_0.94.8.3-1_alpha.deb
Intel ia32:
http://security.debian.org/dists/potato/updates/main/binary-i386/boa_0.94.8.3-1_i386.deb
Motorola 680x0:
http://security.debian.org/dists/potato/updates/main/binary-m68k/boa_0.94.8.3-1_m68k.deb
PowerPC:
http://security.debian.org/dists/potato/updates/main/binary-powerpc/boa_0.94.8.3-1_powerpc.deb
Sun Sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/boa_0.94.8.3-1_sparc.deb