Author: nion Date: 2009-06-19 20:02:20 +0000 (Fri, 19 Jun 2009) New Revision: 12171 Modified: data/CVE/list Log: adjusted impact of slowloris, actually i think this issue is fairly dangerous at least in standard configurations unless servers start to reduce the timeout after a certain percent of used threads i think this is a real issue Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-06-19 19:28:04 UTC (rev 12170) +++ data/CVE/list 2009-06-19 20:02:20 UTC (rev 12171) @@ -6,11 +6,11 @@ [etch] - pcsc-lite <not-affected> (directory introduced in 1.5.0) [lenny] - pcsc-lite <not-affected> (directory introduced in 1.5.0) CVE-2009-XXXX ["slowloris" denial-of-service vulnerabilty in webservers] - - apache2 <unfixed> (low; bug #533661) - - apache <unfixed> (low; bug #533662) - - squid <unfixed> (low; bug #533663) - - squid3 <unfixed> (low; bug #533664) - - dhttpd <unfixed> (low; bug #533665) + - apache2 <unfixed> (medium; bug #533661) + - apache <unfixed> (medium; bug #533662) + - squid <unfixed> (medium; bug #533663) + - squid3 <unfixed> (medium; bug #533664) + - dhttpd <unfixed> (medium; bug #533665) - lighttpd <not-affected> TODO: follow-up with maintainers (exploit site says these servers vulnerable, but i have not checked, asked maintainers to do so) TODO: determine if any of the other webservers are affected