Date: Sun, 01 Mar 2015 17:16:38 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: CVE-2015-0881 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/02/2015 4:34 a.m., Kurt Seifried wrote: > Regarding CVE-2015-0881 > > http://jvn.jp/en/jp/JVN64455813/index.html > http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.html > JPCERT has now provided me a copy of the attack. They have requested I not reveal the details, so I am treating that and the patch details as embargoed for the time being. Without revealing too much (I hope) I can confirm: * It is a known vulnerability - to upstream that is, but no CVE assigned. * The initial report of this issue to upstream occured during 2009. * Squid 1.x, 2.x, and 3.0 releases are all vulnerable. * All Squid-3.1 stable releases are not vunerable. - eg, you can bump the fixed version number back to 3.1.1 for most OS distributions. For the record; there is now FALSE information floating around in some CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco report came to my attention first, but they are not alone. To all those people cut-n-pasting blurb text from CWE-113 in place of the JPCERT description: please dont do that. There are multiple "HTTP response splitting" attack vectors which have nothing to do with the (current) CWE-113 description. This is one of those cases. HTH Amos Jeffries Squid Software Foundation -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJU8pKmAAoJEGvSOzfXE+nLB1wQAIXeG2dUuCKIZL/Pj+992OjM wHyJrewmS1LYpHnbr/HdzG3vP65HlAl81jdBZEq+vD1Ma9s7gftewQB/sVhYE8Hy 2XKIO6is3vJrE16MZtm8BWo3hgYAbm5E3Ks2ejkVbbPFO1reMHsyzHxV10UBW+Zm MwawiWrAb3ZI7pKMOjHhGtZCBgLd3ZaiBqgLKJisC3F0FPKSHlmptNhBnwkCsHb6 ndBTjAfareCbGOpwwNe4mLqhUcvQeqz2f/94aB1COR9xz/iqaZlgXsz5TOjqthYi 9Xck2AKKsQKPjQs32/eTsmCQSwAIhTYcoHa6qhpbldORKo985Od2G2BJrIQe1i/S SCKAClec/I+ICFiQc24nWl2NA9qQ7GOB+JU5B9N1DvcH8RVWVvyIsh2Z/hJmMMrO aPWGUI/eu/Q6WxbEqT0g9R3g+2bFQtTEiLWeJ5PcO/zI0LpRV0nX+Clc9GQMj/uk 8glwig4jYXPpiqrWB9JmN/LUy1IqfP/ioIAqLuB/FmX5LMyTd5WkoPcs056kGE+1 hWOqKAwSFf49zl/Y+GN+OPz56Iyy27LA7A74R35URR1D2gBg/xh2+ojLYqfcJm0S gZBBd5IJkmb3uF2rHOIgCMLIfehAvR+wPdjK/qNVGiaXPnIFmE0NPd5mKeXVJtSA redKcbc20FKHz3skctD/ =P1gX -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ