Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 01 Mar 2015 17:16:38 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2015-0881

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/02/2015 4:34 a.m., Kurt Seifried wrote:
> Regarding CVE-2015-0881
> 
> http://jvn.jp/en/jp/JVN64455813/index.html 
> http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.html
> 

JPCERT has now provided me a copy of the attack. They have requested I
not reveal the details, so I am treating that and the patch details as
embargoed for the time being.

Without revealing too much (I hope) I can confirm:

* It is a known vulnerability
 - to upstream that is, but no CVE assigned.

* The initial report of this issue to upstream occured during 2009.

* Squid 1.x, 2.x, and 3.0 releases are all vulnerable.

* All Squid-3.1 stable releases are not vunerable.
 - eg, you can bump the fixed version number back to 3.1.1 for most OS
distributions.


For the record; there is now FALSE information floating around in some
CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco
report came to my attention first, but they are not alone.

To all those people cut-n-pasting blurb text from CWE-113 in place of
the JPCERT description: please dont do that. There are multiple "HTTP
response splitting" attack vectors which have nothing to do with the
(current) CWE-113 description. This is one of those cases.

HTH

Amos Jeffries
Squid Software Foundation

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJU8pKmAAoJEGvSOzfXE+nLB1wQAIXeG2dUuCKIZL/Pj+992OjM
wHyJrewmS1LYpHnbr/HdzG3vP65HlAl81jdBZEq+vD1Ma9s7gftewQB/sVhYE8Hy
2XKIO6is3vJrE16MZtm8BWo3hgYAbm5E3Ks2ejkVbbPFO1reMHsyzHxV10UBW+Zm
MwawiWrAb3ZI7pKMOjHhGtZCBgLd3ZaiBqgLKJisC3F0FPKSHlmptNhBnwkCsHb6
ndBTjAfareCbGOpwwNe4mLqhUcvQeqz2f/94aB1COR9xz/iqaZlgXsz5TOjqthYi
9Xck2AKKsQKPjQs32/eTsmCQSwAIhTYcoHa6qhpbldORKo985Od2G2BJrIQe1i/S
SCKAClec/I+ICFiQc24nWl2NA9qQ7GOB+JU5B9N1DvcH8RVWVvyIsh2Z/hJmMMrO
aPWGUI/eu/Q6WxbEqT0g9R3g+2bFQtTEiLWeJ5PcO/zI0LpRV0nX+Clc9GQMj/uk
8glwig4jYXPpiqrWB9JmN/LUy1IqfP/ioIAqLuB/FmX5LMyTd5WkoPcs056kGE+1
hWOqKAwSFf49zl/Y+GN+OPz56Iyy27LA7A74R35URR1D2gBg/xh2+ojLYqfcJm0S
gZBBd5IJkmb3uF2rHOIgCMLIfehAvR+wPdjK/qNVGiaXPnIFmE0NPd5mKeXVJtSA
redKcbc20FKHz3skctD/
=P1gX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ