Date: Mon, 20 Jan 2014 11:05:44 -0500 (EST) From: cve-assign@...re.org To: pinkbyte@...too.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Cantata vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://code.google.com/p/cantata/issues/detail?id=356 Use CVE-2013-7300 for the lack of restrictions on the set of files available through the web server, i.e., an absolute path traversal vulnerability. Use CVE-2013-7301 for the default configuration in which the external network interface is used with no access control for reading queued music files. These could have been fixed independently. For example, fixing only CVE-2013-7300 means that a remote attacker could read "private" song data (but that might be irrelevant in some situations on a network within a home). Fixing only CVE-2013-7301 means that local users could read arbitrary files (but that might be irrelevant on a single-user system). The other issues mentioned in id=356 are probably best considered suggestions for security improvement (e.g., availability of an HTTP service in fewer circumstances, defaulting to the lo interface, better access control, additional build options, etc.). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS3UglAAoJEKllVAevmvmslR4IALRpqiR6R6K8mUuqeEDhnzKV TY4cY6E5sRbpM4jCLKKSlTX6eLFuOEP0yXJfnyAr5opGTslmecfCTVuvTxa9u7E5 KHviH9Qlinzt31BnxNvXJPntIRHr87YVPYPvHNeBMVcVyl3Z9tRMBngGn7pXfPh3 3ILDISHeKtbGrSO/7PycIxqEJuNgaU0sckcp2NGYkMDNF6fjLdKak+nGHSA8tvML ssvGayQ2EUcfSEWUdltDR8omDcTKEAR8w86Bpu1usf0mOczh15bn9rJNb/BjLQIH Wx2EyVeuDVrOftmdK4IzqchfrEsvKmJOKA8ZiyG1XY9n7n7T8iKjjeCvHwOQM6o= =Arrv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ