Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 Jul 2016 22:04:26 -0400 (EDT)
From: cve-assign@...re.org
To: peter@...e-magic.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: A CGI application vulnerability for PHP, Go, Python and others - CHICKEN eggs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> This issue affects the CHICKEN egg "spiffy-cgi-handlers", which is an
> optional add-on to add CGI and FastCGI support to the Spiffy web server.
> 
> All versions before 0.5 are affected. An announcement was made to
> http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html

>> a HTTP server which converts the Proxy header as a
>> HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do
>> that in the default setup.

> The spiffy-cgi-handlers code was part of the spiffy web server before
> version 5.0, so earlier versions of that egg were also affected. Strictly
> speaking, I think this deserves another CVE because it's a different
> piece of software.
> 
> Could I have a CVE for this issue?

Use CVE-2016-6286 for this code, as found either in the
spiffy-cgi-handlers egg or in the spiffy web server. (Moving a piece
of code from one software product to another doesn't generate a second
CVE ID.)


> I believe this affects the CHICKEN egg "http-client", when used in a CGI
> context when the calling server unsafely passes "Proxy" as "HTTP_PROXY".
> Could I have a CVE for this issue as well?

Use CVE-2016-6287.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXktAdAAoJEHb/MwWLVhi25n4QALaJxLjnoIvN/GUErP1UObu1
JNBU160mBi8S9MW28AVzx6DNgzWBtnd7ymtpXRHkbMjWCc+ORQnJPvnm39Tatt6l
LP48zvXOr2gbLarh9izTtACqwmgF0jbacwc2J5tqhZ7rk6Y6FpVgAIAntS1qK1bY
NIez74JZlNVvnKix0pOweuAswOM1V7zwDYdvMUjdpzh7gfC8AiJX09e46G1WEkSr
THXXzUWud+USZAme9s6fD9nLvrr/Tlv2fGnZyp9APGz4Tcs+tbRiE+wtfYK5Cu1K
MySc1jIoDf+cZKDQgPoDBHovoAn9oBBzq4fa9ph2Y6MuY6ktGT5OzHZqfqHy0MKe
EnLZvMWkhD0F/U8kIFBo4wjPpo7aRQE7L8W+mGL/QwucExb1Bbn7h6XYJ69fQCny
NcD+uDPta0tPmJcQ3OY8GCu5MhwI01WZhMBi+eLbrwxpVITezISXbIEhozXtZeJz
5U+Lpw2rJUPq+1cLbGPlP1cvT+zGHzFLyQIukzqK/AdCLrnAyynL2lrTsoPmrFkK
fNRU/UYfnEQb2ehiSr7Ho5lCCyNewJdwq0Zrktw2EReVu/tlLNMyutUH3B9jSN2x
pL1Q5EVeq34u/dI95wzw4yVh4HDN4bXhPPtOdaQ2YgXnJ4AMSjRisSuE3ISOYLxZ
dTOiEBp3s/l3QRrWkdIk
=53io
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ