Date: Mon, 02 Mar 2015 00:08:12 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com, jvn@....jp, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE-2015-0881 So for those of us vendors/etc that need to backport security fixes and/or confirm our software is fixed how are we supposed to do this? How long will the patch/attack information be embargoed for? Also why has this been covered up for over 5 years and is now still a secret? I'm very confused and I have some grave concerns about how JVN/upstream is handling this. On 28/02/15 09:16 PM, Amos Jeffries wrote: > On 24/02/2015 4:34 a.m., Kurt Seifried wrote: >> Regarding CVE-2015-0881 > >> http://jvn.jp/en/jp/JVN64455813/index.html >> http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.html > > > JPCERT has now provided me a copy of the attack. They have requested I > not reveal the details, so I am treating that and the patch details as > embargoed for the time being. > > Without revealing too much (I hope) I can confirm: > > * It is a known vulnerability > - to upstream that is, but no CVE assigned. > > * The initial report of this issue to upstream occured during 2009. > > * Squid 1.x, 2.x, and 3.0 releases are all vulnerable. > > * All Squid-3.1 stable releases are not vunerable. > - eg, you can bump the fixed version number back to 3.1.1 for most OS > distributions. > > > For the record; there is now FALSE information floating around in some > CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco > report came to my attention first, but they are not alone. > > To all those people cut-n-pasting blurb text from CWE-113 in place of > the JPCERT description: please dont do that. There are multiple "HTTP > response splitting" attack vectors which have nothing to do with the > (current) CWE-113 description. This is one of those cases. > > HTH > > Amos Jeffries > Squid Software Foundation > > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ