Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 7 Jul 2015 13:53:21 +0200
From: Stefan Castille <>
To: <>
Subject: CVE Request for sogO Open Source Groupware (


I would like to request a CVE for a DoS in sogo. While it does not crash
the system, it does make it very easy to conduct a DoS against the

Software: sogo
Vendor: Inverse
Previously requested: No
Type: DoS
Description: Due to incorrect handling of certain PROPFIND requests, the
site is vulnerable to a DoS.

Host: <hostname>
Connection: keep-alive
Content-Length: 0


will return almost immediately

Host: myhost
Connection: keep-alive

without the Content-Length will keep the child process occupied until it
times out. Default value one minute. With only <#processes> requests per
<timeout> the application can be rendered inaccessible.

No authentication/valid account is required. The bug has been reported
at as a private bugreport, but labelled won't fix as it
is 'how servers work' and that tuning the timeout will help. I disagree
and would like to get a CVE for it.

with kind regards,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ