Date: Fri, 24 Aug 2012 20:59:04 -0400 (EDT) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: oss-security@...ts.openwall.com cc: Gentoo Linux Security Team <security@...too.org> Subject: Re: CVE Request: SquidClamav insufficient escaping flaws On Thu, 16 Aug 2012, Sean Amoss wrote: > The upstream notification  shows SquidClamav 5.8 and 6.7 fixes a URL > escaping issue which could lead to a daemon crash . SquidClamav 5.8 > also fixes escaping issues in CGI scripts . > > > References: >  http://squidclamav.darold.net/news.html >  https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00 >  https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b >  https://bugs.gentoo.org/show_bug.cgi?id=428778 It appears that  is an XSS issue, so this needs a separate CVE because it's a different type of encoding problem than . Use CVE-2012-4667 for the XSS. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ