Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Oct 2013 10:12:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Tollef Fog Heen <tfheen@...nish-software.com>
CC: ingvar@...pill-linpro.com, ssm@...ian.org, team@...urity.debian.orgteam,
        Open Source Security <oss-security@...ts.openwall.com>
Subject: Re: CVE number needed for Varnish DoS, also heads-up

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adding oss-security to cc as per
http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
since it's public.


On 10/30/2013 08:05 AM, Tollef Fog Heen wrote:
> Hi Kurt,
> 
> I'm being told by the Debian security team that they can't assign a
> CVE as there has been a public bug report about this issue, but
> that you can help.  (https://www.varnish-cache.org/trac/ticket/1367
> is the bug report)
> 
> Can you please get me a CVE id?
> 
> Thanks, - Tollef Fog Heen
> 
> ]] Tollef Fog Heen
> 
>> Hi,
>> 
>> (Cc to varnish maintainer in Debian and Fedora)
>> 
>> we've had a denial of service attack reported in Varnish.  I
>> believe we should get this fixed in stable (we're working on a
>> patch), but I'd like a CVE # to go with the advisory.  Draft
>> advisory at http://etherpad.wikimedia.org/p/WnwRT4FH6e
>> 
>> Regards, -- Tollef Fog Heen Technical lead | Varnish Software AS 
>> 📞: +47 21 98 92 64 We Make Websites Fly!
> 

Please use CVE-2013-4484 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJScTADAAoJEBYNRVNeJnmTDqIQALHYdrKe6DwLSO53z/RhXApG
iZbKmalHlO8SEoMP8DCW6ln20/eBIzn/vgNoBQUy8DSt2prnllaAjLpXtZkPwX0O
ZG6DQOq79FeEGEHA5/3VN7gFYoFKYYYrPnfJGrQ//RmT1wh/IFJweOONWi0w686/
APfER2THBfe05jGEti6MB6JcV31S4VtEWNBqToasW7UInHqxuG2ryQsTMaiU/oXW
FR29oTbRoBr8gPTOX5aroQuH9gO72WNcRQ1SXupQAfUYwyM/9Y2KrnYR5xDg8Uop
n2A4ON2bqFxD0vmqod8SmB96FoTRzMemBTpqx4pCEEdEV2B9OVD7c+K3U5+6QFLP
KoJc3hdHqZj2T98OZyVKfWFzkZPy/WHOX8pjgzgPmNR9syvufoe5zL9iox8HvSk6
1mhq5xpXL00wu4Z9V7DdiSKZUJ1zEWSukZy3gTrGIDDYpX6lkxtnLmIH3gaM3tvY
v5QEYPwBsDagnxsslrt5gA8gE4Hf0j/b9AjGngK96SkN+77zkHo8qjAIR373w9/k
SRXc4OFs2V0YB1rm4jV44X2hY2UbWN6631Hy60KZrknWkA6Ij/+lslZ4ShUK2LXt
Gc512k/q6MrkguCesHCpTmWaHO+Q+HK9e+vkpoj8jnj+rNHFGyFL+jO4vXN2QuXk
mBZpOoGORQnvfaSYBadq
=cio8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ