Date: Tue, 16 Sep 2014 02:56:30 -0400 (EDT) From: cve-assign@...re.org To: krahmer@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-Request: squid pinger remote DoS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I made a fix for squid 3.4.6 and request a CVE > https://bugzilla.novell.com/show_bug.cgi?id=891268 Regardless of the "what happens to squid itself" answer, is it known that the crash has a security impact? This message seemed to conclude with an implied request for more information, e.g., "it looks like you can," etc. An example of a security impact would be: the administrator wanted pinger to be running, and a crash means that pinger processes/threads are no longer available, and pinger is not automatically restarted. If there is a security impact, then the patch in Novell Bug 891268 would probably correspond to at least three CVE IDs, e.g., 1. "used to index into a string array" possibly corresponds to http://cwe.mitre.org/data/definitions/129.html for the modified default case after case 136, and approximately two other places in the patch 2. added "if (n <= 0)" code possibly corresponds to http://cwe.mitre.org/data/definitions/389.html 3. added "if (preply.psize) < 0" code apparently corresponds to a more general issue with missing data validation - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUF95xAAoJEKllVAevmvmsMiMIAIM7LbYrQTVH8bgbKj34D0WI fHruTwHwpIXfs2YvmuSJLnvmMdtRyIe0Y5Nx6CLC9oL5mlaKCtiyGN3Y5tom37LS /ro/Q5nv10VzWf2B67s1gaOKHhVr36bzCUaRWjj2ispiANxIdYGoEhmdABN2atE+ 0IzkAXTsoPtfYBc3VHeLdLVnsrI0yV3c2btoaG0ABN39+5QGTCAct2m9rq19/HJ5 LMXjfIkjpwlzhhy0MCBevn6dFIn9iDFBsmeKXEnib284Re9TQ7kpM8lv1p0zvcFI c+AYJn4WEV2FE7i4rNY/08ykxSZ+jrNV/mZnTLNLqFfRsVIPIc3RbdN6LYTFofs= =mktA -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ