Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 06 Jun 2012 10:56:02 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
CC: oss-security@...ts.openwall.com, Matthias Weckbecker <mweckbecker@...e.de>
Subject: Re: CVE request: rack-cache caches sensitive headers
 (Set-Cookie)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/06/2012 03:29 AM, Jan Lieskovsky wrote:
> Thanks for your report, Matthias.
> 
> On 06/06/2012 11:09 AM, Matthias Weckbecker wrote:
>> Hi Kurt, Steve, vendors,
>>
>> rake-cache caches sensitive response headers such as Set-Cookie.
>> Attackers
>> with access to the cache could possibly obtain other user's cookies to
>> e.g.
>> bypass authentication.
>>
>> More information (including patch) available at our bugzilla:
>>    https://bugzilla.novell.com/show_bug.cgi?id=763650
>>
>> Kurt, could you possibly assign a CVE for this issue, please? Thank
>> you in
>> advance!
> 
> Kurt, once assigned please note it in our bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=824520
> 
> too.
> 
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
>>
>> Matthias
>>

Please use CVE-2012-2671 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPz4uhAAoJEBYNRVNeJnmTKzcP+we7VUVdFw3LqAfqRFmGE1zY
0gq+Sd/ReM0GITRiDbtMOXGqy7DT6ivvuvaQ5T7skIWbNkvanSiv+6F+YeTgIQsX
U9rkk4FeEkrmP5f7vVxPuhNSRWec8gjPkuxCzlQaBLlXmW21xP0fdGJ6wwxwGJAr
SBsL/5MbsvO+R4WjChTio8fZ5aky8o+DWK1ShSN61FVciX+nSvCdvsL40OOki0TF
6Enw/Cod5uccYsQgLNSfC0opWuLlHW/wZn2IcpZdL+Mp5cE69qy9dHLs8RS0uu/O
TuWbzzgZZdt/aZPj6DE7mqWoW0n82H8eSK8HQPeA0K2e4U1q7CKgdiW8U/LR76Yp
5xaUKvhyDWoqsYiP6UXIGYE30nRtHOuFFXxBbmE4kM/wAJtywrLmeD8yZIrRd4Kd
2oJ4NLvfZkRz4nbhhWN+JI9AmoMn0NgG4KfXcK788Ve99MpNGp4Ym3V3b7TR78R3
1awyCtjbCiQbGdmFKUKTToBNQ3DYFh9LOFzmksoOwdCfVJ8JhLmaUNkKCohmzH+Z
8QxklQy39u148ZDNLS1CvIPT+R6oQtotHltLot+nGbAXoL6L4+uzQe58/GYnVnpl
aJeC+R8acTRyMfCv8713bSeqZzt2U3M0QGEEePPPLq2sluAWIMC/hD1W8aI2RfiN
T1pdH/XovTCpR35FCGut
=ijcr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ