Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Nov 2009 14:20:23 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVEs for nginx

----- "Craig" <craig@...uarter.de> wrote:

> 
> 1.) nginx webdav: http://secunia.com/advisories/36818/

Let's use CVE-2009-3898 for this one:

CVE-2009-3898

nginx versions before 0.8.17 and 0.7.63 contain a directory traversal flaw in
the webdav component. A user who can COPY or MOVE permissions could place
files outside the webdav root.

http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0379.html
http://secunia.com/advisories/36818/
http://marc.info/?l=oss-security&m=125900327409842&w=2

> 
> 2.) nginx Null Pointer dereference:
> http://sysoev.ru/nginx/patch.null.pointer.txt

This is CVE-2009-3896

> 
> 3.) nginx SSL Renegotiation:
> http://sysoev.ru/nginx/patch.cve-2009-3555.txt
> 
> I know the last one contains a CVE number, nginx uses openssl and the
> patch will disable renegotiation, maybe this deserves an own CVE?
> 

We'll use the same ID. mod_ssl did a similar thing and used CVE-2009-3555. I
think multiple IDs in this instance would actually create more confusion that
it would solve.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ