Daniel Please find attached the patch I'm going to use for the security update.
Could you please apply it, or a comparable patch to the version in unstable and let us know which version will fix the problem? Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit [EMAIL PROTECTED]:/tmp$ interdiff thttpd_2.23beta1-3sarge1.diff thttpd_2.23beta1-3sarge2.diff diff -u thttpd-2.23beta1/debian/changelog thttpd-2.23beta1/debian/changelog --- thttpd-2.23beta1/debian/changelog +++ thttpd-2.23beta1/debian/changelog @@ -1,3 +1,11 @@ +thttpd (2.23beta1-3sarge2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix the insecure use of temporary files when invoked by logrotate. + [CVE-2006-4248] + + -- Steve Kemp <[EMAIL PROTECTED]> Tue, 31 Oct 2006 17:49:34 +0000 + thttpd (2.23beta1-3sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team diff -u thttpd-2.23beta1/debian/thttpd.logrotate thttpd-2.23beta1/debian/thttpd.logrotate --- thttpd-2.23beta1/debian/thttpd.logrotate +++ thttpd-2.23beta1/debian/thttpd.logrotate @@ -4,15 +4,9 @@ compress missingok delaycompress - prerotate - if pidof thttpd 2>&1 > /dev/null; then - touch /tmp/start_thttpd - fi - endscript postrotate - if [ -f /tmp/start_thttpd ]; then + if [ -f /var/run/thttpd.pid ]; then /etc/init.d/thttpd restart 2>&1 > /dev/null - rm -f /tmp/start_thttpd fi endscript }
signature.asc
Description: Digital signature