Date: Fri, 22 Jul 2016 22:04:26 -0400 (EDT) From: cve-assign@...re.org To: peter@...e-magic.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: A CGI application vulnerability for PHP, Go, Python and others - CHICKEN eggs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > This issue affects the CHICKEN egg "spiffy-cgi-handlers", which is an > optional add-on to add CGI and FastCGI support to the Spiffy web server. > > All versions before 0.5 are affected. An announcement was made to > http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html >> a HTTP server which converts the Proxy header as a >> HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do >> that in the default setup. > The spiffy-cgi-handlers code was part of the spiffy web server before > version 5.0, so earlier versions of that egg were also affected. Strictly > speaking, I think this deserves another CVE because it's a different > piece of software. > > Could I have a CVE for this issue? Use CVE-2016-6286 for this code, as found either in the spiffy-cgi-handlers egg or in the spiffy web server. (Moving a piece of code from one software product to another doesn't generate a second CVE ID.) > I believe this affects the CHICKEN egg "http-client", when used in a CGI > context when the calling server unsafely passes "Proxy" as "HTTP_PROXY". > Could I have a CVE for this issue as well? Use CVE-2016-6287. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXktAdAAoJEHb/MwWLVhi25n4QALaJxLjnoIvN/GUErP1UObu1 JNBU160mBi8S9MW28AVzx6DNgzWBtnd7ymtpXRHkbMjWCc+ORQnJPvnm39Tatt6l LP48zvXOr2gbLarh9izTtACqwmgF0jbacwc2J5tqhZ7rk6Y6FpVgAIAntS1qK1bY NIez74JZlNVvnKix0pOweuAswOM1V7zwDYdvMUjdpzh7gfC8AiJX09e46G1WEkSr THXXzUWud+USZAme9s6fD9nLvrr/Tlv2fGnZyp9APGz4Tcs+tbRiE+wtfYK5Cu1K MySc1jIoDf+cZKDQgPoDBHovoAn9oBBzq4fa9ph2Y6MuY6ktGT5OzHZqfqHy0MKe EnLZvMWkhD0F/U8kIFBo4wjPpo7aRQE7L8W+mGL/QwucExb1Bbn7h6XYJ69fQCny NcD+uDPta0tPmJcQ3OY8GCu5MhwI01WZhMBi+eLbrwxpVITezISXbIEhozXtZeJz 5U+Lpw2rJUPq+1cLbGPlP1cvT+zGHzFLyQIukzqK/AdCLrnAyynL2lrTsoPmrFkK fNRU/UYfnEQb2ehiSr7Ho5lCCyNewJdwq0Zrktw2EReVu/tlLNMyutUH3B9jSN2x pL1Q5EVeq34u/dI95wzw4yVh4HDN4bXhPPtOdaQ2YgXnJ4AMSjRisSuE3ISOYLxZ dTOiEBp3s/l3QRrWkdIk =53io -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ