[Pkg-cups-devel] Bug#530027: cups: Request from "…" using invalid Host: field "…"
itz at buug.org
Mon Oct 12 05:25:04 UTC 2009
The reason that ServerAlias * fixes it for some cases but not for others
can be seen from the patch that addressed CVE-2009-0164:
If you look at the vaild_host() function, in the case the connecting
address matches 127.*.*.* , the ServerAlias check is completely
bypassed and only "localhost" or its numerical equivalents are allowed
as values of the Host: header.
This breaks connection via SSH tunnels, maybe other things.
I'll have to downgrade to 1.3.* until this is fixed :(
Interestingly, I have apache2 set up the same way and it cares not one
whit about the Host header. Perhaps the cure is worse that the disease
here, given that the original vulnerability was mostly theoretical and
involved broken clients?
Ian Zimmerman <itz at buug.org>
gpg public key: 1024D/C6FF61AD
fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD
Ham is for reading, not for eating.
More information about the Pkg-cups-devel