Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 02 Mar 2015 00:08:12 -0700
From: Kurt Seifried <>
        Assign a CVE Identifier <>
Subject: Re: CVE-2015-0881

So for those of us vendors/etc that need to backport security fixes
and/or confirm our software is fixed how are we supposed to do this?

How long will the patch/attack information be embargoed for?

Also why has this been covered up for over 5 years and is now still a
secret? I'm very confused and I have some grave concerns about how
JVN/upstream is handling this.

On 28/02/15 09:16 PM, Amos Jeffries wrote:
> On 24/02/2015 4:34 a.m., Kurt Seifried wrote:
>> Regarding CVE-2015-0881
> JPCERT has now provided me a copy of the attack. They have requested I
> not reveal the details, so I am treating that and the patch details as
> embargoed for the time being.
> Without revealing too much (I hope) I can confirm:
> * It is a known vulnerability
>  - to upstream that is, but no CVE assigned.
> * The initial report of this issue to upstream occured during 2009.
> * Squid 1.x, 2.x, and 3.0 releases are all vulnerable.
> * All Squid-3.1 stable releases are not vunerable.
>  - eg, you can bump the fixed version number back to 3.1.1 for most OS
> distributions.
> For the record; there is now FALSE information floating around in some
> CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco
> report came to my attention first, but they are not alone.
> To all those people cut-n-pasting blurb text from CWE-113 in place of
> the JPCERT description: please dont do that. There are multiple "HTTP
> response splitting" attack vectors which have nothing to do with the
> (current) CWE-113 description. This is one of those cases.
> Amos Jeffries
> Squid Software Foundation

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ