add blurb on NFR security
This commit is contained in:
dugsong
parent
e657e034f9
commit
541f037493
20
net/nfr/pkg/SECURITY
Normal file
20
net/nfr/pkg/SECURITY
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
|
||||||
|
Versions of NFR greater than 1.6.2 and less than 2.0.3
|
||||||
|
had an exploitable buffer overflow in webd, the built-in
|
||||||
|
NFR webserver. This hole was fixed in version 2.0.3.
|
||||||
|
|
||||||
|
The previous version of the OpenBSD port of NFR (1.6.2)
|
||||||
|
was not vulnerable to this, as it used /usr/sbin/httpd by
|
||||||
|
default.
|
||||||
|
|
||||||
|
Security issues with the current version of NFR include:
|
||||||
|
|
||||||
|
- sniffable cleartext authentication, since
|
||||||
|
webd does not support SSL
|
||||||
|
|
||||||
|
- other potential problems with webd. It is enabled
|
||||||
|
by default, but may be replaced with another
|
||||||
|
webserver (e.g. /usr/sbin/httpd) in nfr/etc/nfr.conf
|
||||||
|
|
||||||
|
- potential holes in NFR's cgi-bin programs
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user