Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 20 Feb 2016 10:23:04 -0500 (EST)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE for nodejs hawk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Does Mitre know about this?

Thank you for this report. The MITRE CVE team had not previously been
informed of that vulnerability. As mentioned in the
http://www.openwall.com/lists/oss-security/2016/01/12/2 post,
"CVE-PENDING" does not imply an earlier request.

> https://nodesecurity.io/advisories/77
> Regular Expression Denial of Service

> https://github.com/hueniverse/hawk/issues/168
> Long headers or uris can cause minor DoS

> https://github.com/hueniverse/hawk/commit/0833f99ba64558525995a7e21d4093da1f3e15fa
> // Limit the length of uris and headers to avoid a DoS attack on string matching

Use CVE-2016-2515.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWyIRZAAoJEL54rhJi8gl5WhMP/193koIE+vRIVMuT+2yRfXhL
u+ffJKUvx/K0cSY2AaB1K+T77r6OmOCKgDrwPN2d1gaZxuAA/gX3GK42Lo7Mf6Vp
uVcFArlOtNTghNxlWZVP5/vjAkG7ykgrmgGZOQFUjH9KMN7xS6ocrrR+SuHVthFU
p+jt1Qun+c+1F5WEWc35XV9f3XSKmcf/Cw0u7mJDXK9paWY8wDRfHhDNHQnmXB/i
nEgiI+ShdjksLhsO5GWTBQYEEiRArMKYYIKNA2RXfQcANAwU5x+AYyLoYqjGkCms
ABhs66NBYhLobKq92Cyz6h8urkyydLcvHnXfcwoUW1Cce+6QwmlFgnI5CuT3FO4P
CuBFtwF3zNlbDP8EnjOLJDu/qQZqnoskrBD84c+f8VsKyZloS9CBhnjZzmpmvl+x
wjH2/pJqhgDdlRbZKlPam/JhDVLc0cZlhySb3NZguvzeKt0Gj7NOyNH7du7p8TA0
yQPlX+MA/R5zvrWmX7cR+hhmITOIwbdX91fMn/+y293E1WKcKGEuxNtCYEmvBDET
RZPleVe6xxUdzOYkbSDTytuEQcBTkU1Arnu8clNXs98mC5ujJbicAQDPsIEvT95e
MR9b/6khL9z/lAYHyOC2AfxJYvexztRi6SzIAG6LX6JGFUB7YIcUoYDydrH4JyYg
7VRvjxDTRn8RUxhMWULb
=IyjB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ