Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed,  5 Aug 2015 12:36:39 -0400 (EDT)
From: cve-assign@...re.org
To: jbuberel@...gle.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - Go net/http library - HTTP smuggling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
> 
> * Invalid headers are parsed as valid headers (like "Content Length:" with a
> space in the middle)

For purposes of CVE assignments, we feel that this needs to be
categorized separately from the other parts of the report. The primary
factor is that there are different sets of affected versions. This
behavior apparently was not present in all versions of Go: it was
added in February 2012. Also, it is not really an error in determining
the semantics of a set of headers; it's a security-relevant error in
interpretation of the syntax of an individual header.

Use CVE-2015-5739.


> https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
> 
> * Double Content-length headers in a request does not generate a 400 error,
> the second Content-length is ignored

Use CVE-2015-5740 for the reporter's finding of a security-relevant
RFC 7230 3.3.3 4 violation ("MUST respond with a 400 (Bad Request)
status code").


300d9a21583e7cf0149a778a0611e76ff7c6680f also has code changes that
were not mentioned in your "as provided by the reporter" section. Our
interpretation is that there were separate internal discoveries of
other security-relevant RFC 7230 violations, such as "MUST NOT send a
Content-Length header field in any message that contains a
Transfer-Encoding header field." Use CVE-2015-5741 for one or more
internal discoveries reflected in
300d9a21583e7cf0149a778a0611e76ff7c6680f.


Finally, if there is a code change in
300d9a21583e7cf0149a778a0611e76ff7c6680f that is exclusively for the
purposes of hardening (i.e., no RFC requires the change as a smuggling
security fix, and the code change is not for addressing an
individually exploitable problem), then that code change is outside
the scope of CVE.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVwjr0AAoJEKllVAevmvms4SgH/1K26OmJwLV0/D+IgSIcWq8q
ecN2DlngcNpU7W/fq9o/brN4hoMGVzh/aEPU3JIqC0JbY0OhidPe/DZmqLcndnwb
iQ4wS4r89akrzZpdOYc09oBlqyxKtto1exwFHWqqdVIbBjHdq+nQhEBwYGyjf/XK
0DyEX6f72Msa//HFhNKycOKM4KPKsi1Gh5Dl+L9nddWnPdTnTSHoIdD+RGmXDDkD
8i6WI/e5QVrGL2g24mrpefDUWX/p9T/cx9LR1hiiUUDuvns40NVz11E1i8PD2fv3
wRzEjUqyt94syYh9PNa0+ZFH7sPUyYOhnpi3/1UzRkSUSI++FfpDFrq3rOEZ4Jk=
=rNSr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.