Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 24 Aug 2012 20:59:04 -0400 (EDT)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: oss-security@...ts.openwall.com
cc: Gentoo Linux Security Team <security@...too.org>
Subject: Re: CVE Request: SquidClamav insufficient escaping
 flaws


On Thu, 16 Aug 2012, Sean Amoss wrote:

> The upstream notification [1] shows SquidClamav 5.8 and 6.7 fixes a URL
> escaping issue which could lead to a daemon crash [2]. SquidClamav 5.8
> also fixes escaping issues in CGI scripts [3].
>
>
> References:
> [1] http://squidclamav.darold.net/news.html
> [2] https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00
> [3] https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b
> [4] https://bugs.gentoo.org/show_bug.cgi?id=428778

It appears that [3] is an XSS issue, so this needs a separate CVE because 
it's a different type of encoding problem than [2].

Use CVE-2012-4667 for the XSS.


- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ