Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Oct 2013 10:12:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Tollef Fog Heen <tfheen@...nish-software.com>
CC: ingvar@...pill-linpro.com, ssm@...ian.org, team@...urity.debian.orgteam,
        Open Source Security <oss-security@...ts.openwall.com>
Subject: Re: CVE number needed for Varnish DoS, also heads-up

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adding oss-security to cc as per
http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
since it's public.


On 10/30/2013 08:05 AM, Tollef Fog Heen wrote:
> Hi Kurt,
> 
> I'm being told by the Debian security team that they can't assign a
> CVE as there has been a public bug report about this issue, but
> that you can help.  (https://www.varnish-cache.org/trac/ticket/1367
> is the bug report)
> 
> Can you please get me a CVE id?
> 
> Thanks, - Tollef Fog Heen
> 
> ]] Tollef Fog Heen
> 
>> Hi,
>> 
>> (Cc to varnish maintainer in Debian and Fedora)
>> 
>> we've had a denial of service attack reported in Varnish.  I
>> believe we should get this fixed in stable (we're working on a
>> patch), but I'd like a CVE # to go with the advisory.  Draft
>> advisory at http://etherpad.wikimedia.org/p/WnwRT4FH6e
>> 
>> Regards, -- Tollef Fog Heen Technical lead | Varnish Software AS 
>> 📞: +47 21 98 92 64 We Make Websites Fly!
> 

Please use CVE-2013-4484 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJScTADAAoJEBYNRVNeJnmTDqIQALHYdrKe6DwLSO53z/RhXApG
iZbKmalHlO8SEoMP8DCW6ln20/eBIzn/vgNoBQUy8DSt2prnllaAjLpXtZkPwX0O
ZG6DQOq79FeEGEHA5/3VN7gFYoFKYYYrPnfJGrQ//RmT1wh/IFJweOONWi0w686/
APfER2THBfe05jGEti6MB6JcV31S4VtEWNBqToasW7UInHqxuG2ryQsTMaiU/oXW
FR29oTbRoBr8gPTOX5aroQuH9gO72WNcRQ1SXupQAfUYwyM/9Y2KrnYR5xDg8Uop
n2A4ON2bqFxD0vmqod8SmB96FoTRzMemBTpqx4pCEEdEV2B9OVD7c+K3U5+6QFLP
KoJc3hdHqZj2T98OZyVKfWFzkZPy/WHOX8pjgzgPmNR9syvufoe5zL9iox8HvSk6
1mhq5xpXL00wu4Z9V7DdiSKZUJ1zEWSukZy3gTrGIDDYpX6lkxtnLmIH3gaM3tvY
v5QEYPwBsDagnxsslrt5gA8gE4Hf0j/b9AjGngK96SkN+77zkHo8qjAIR373w9/k
SRXc4OFs2V0YB1rm4jV44X2hY2UbWN6631Hy60KZrknWkA6Ij/+lslZ4ShUK2LXt
Gc512k/q6MrkguCesHCpTmWaHO+Q+HK9e+vkpoj8jnj+rNHFGyFL+jO4vXN2QuXk
mBZpOoGORQnvfaSYBadq
=cio8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.