Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 14 Jan 2013 18:53:16 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: 3 DoS conditions in Rake

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/14/2013 05:20 PM, Vincent Danen wrote:
> Three issues were noted in recent release of upstream Rake.  All
> are DoS issues.
> 
> From https://bugzilla.redhat.com/show_bug.cgi?id=895277 (2
> issues):
> 
> Upstream released [1] Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a 
> denial of service condition when Rack parses content with a
> certain Content-Disposition header as noted in the original report
> [2].
> 
> This has been fixed in git [3].

Please use CVE-2012-6109 for this issue (fixed in Rack 1.4.2 and so on)

> Additionally, a second flaw that was fixed in 1.4.4, 1.3.9, 1.2.7,
> and 1.1.5 was also announced [4] that creates a minor denial of
> service condition, this time in the Rack::Auth::AbstractRequest,
> where it symbolized arbitrary strings (apparently this has
> something to do with authentication, but there is no further
> information provided other than the fix [5] itself, which is noted
> as "a breaking API change").

Please use CVE-2013-0184 for this issue (fixed in Rack 1.4.4 and so on)

> [1] http://rack.github.com/ [2] 
> https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
>
> 
[3]
> https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e
>
>  [4] 
> https://groups.google.com/forum/#!topic/rack-devel/ImYOqcGiksw/discussion
>
> 
[5]
> https://github.com/rack/rack/commit/0c76175fcccad74ba2f991c487d3669c28a297c8


=====================

>
> 
And from https://bugzilla.redhat.com/show_bug.cgi?id=895282:
> 
> Upstream released [1] Rack 1.4.3 and 1.3.8 to fix a denial of
> service condition due to a malicious client sending excessively
> long lines that trigger an out-of-memory error in Rack.
> 
> This has been fixed in git [2].

Please use CVE-2013-0183 for this issue (fixed in Rack 1.4.3 and so on)


> [1] 
> https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI/discussion
>
> 
[2]
> https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18

Please
> 
use CVE-2012-6109 for this issue (fixed in Rack 1.4.2, released
in 2012 so 2012 CVE)



> 
> 
> 
> Could three CVEs be assigned for these issues please?  Thanks.
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ9LaMAAoJEBYNRVNeJnmTmV0P/ihQNH1ta7ju4e5QvkhV2AQT
k+AlM+tyrS8lIFQ5ywrydnKUPemm/LSh3mFyMnqG2JxYR4B9aooC86VBoR8il/wF
a3UJv4nlmqOCXY4v+px7YoCcsIUK5saf5NGTsdCG3oej+d2xgpiVdVvZoD9dx9Ih
RN42/KhPJzGE+s/Mi5DTz2IVVG/s1Egu7UlEM8ySwWyHCLQhIITccidR54dwbla5
ATOAx23WDeVTG35vvgMPXVZUgzHl6fg2n027ZTQrLABuYZ7dDKM5aspI1f2lLPoc
bli6bIveH2XPoMME+E39gYcWktF5E+Mocoks1QlAzULJOZiABZKj5lnVE41mbFOm
2oUljrZ0b2LWwXMAnfCW6xzWDUFmFiUe/Yu8AS/6X4uPSJ9Wrkq6arOjzm6sEEP+
7efhPvPnY/zPDzOJAAG+ggGvBxKd1iWWzimg1pMwrXyEuEwWSnxlfTguWGRqC1f0
CBFsLqdMUgY4+DxyJYhZCfnhYzUjve1fPBLm/U6ADDxvWliNVFyyW8QXAHNYOUG4
/3NIKWYhMt/9clV7DtdV38w5/sp+uHdooPAKhpv2ZZ7n/M1mEBlfjHoG0+OPfYVh
jJcxfaF08gM67XaT6poyRzsna7kTZbCmUotMFuPKfHxq/ikuKEF53NEG0ahFa4Kh
tucpKur4ikJaT5hMixng
=n42W
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.