Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 02 Mar 2015 00:08:12 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, jvn@....jp,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE-2015-0881

So for those of us vendors/etc that need to backport security fixes
and/or confirm our software is fixed how are we supposed to do this?

How long will the patch/attack information be embargoed for?

Also why has this been covered up for over 5 years and is now still a
secret? I'm very confused and I have some grave concerns about how
JVN/upstream is handling this.

On 28/02/15 09:16 PM, Amos Jeffries wrote:
> On 24/02/2015 4:34 a.m., Kurt Seifried wrote:
>> Regarding CVE-2015-0881
> 
>> http://jvn.jp/en/jp/JVN64455813/index.html 
>> http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.html
> 
> 
> JPCERT has now provided me a copy of the attack. They have requested I
> not reveal the details, so I am treating that and the patch details as
> embargoed for the time being.
> 
> Without revealing too much (I hope) I can confirm:
> 
> * It is a known vulnerability
>  - to upstream that is, but no CVE assigned.
> 
> * The initial report of this issue to upstream occured during 2009.
> 
> * Squid 1.x, 2.x, and 3.0 releases are all vulnerable.
> 
> * All Squid-3.1 stable releases are not vunerable.
>  - eg, you can bump the fixed version number back to 3.1.1 for most OS
> distributions.
> 
> 
> For the record; there is now FALSE information floating around in some
> CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco
> report came to my attention first, but they are not alone.
> 
> To all those people cut-n-pasting blurb text from CWE-113 in place of
> the JPCERT description: please dont do that. There are multiple "HTTP
> response splitting" attack vectors which have nothing to do with the
> (current) CWE-113 description. This is one of those cases.
> 
> HTH
> 
> Amos Jeffries
> Squid Software Foundation
> 
> 

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ