Date: Fri, 4 Nov 2016 03:10:21 -0400 From: <cve-assign@...re.org> To: <robert@...oraproject.org> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>, <daniel@...x.se> Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> translated into `strasse.de` using IDNA 2003 but >> is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those >> host names could very well resolve to different addresses and be two >> completely independent servers. > Maybe > MITRE (or somebody else) could share their thoughts about this, too? In some situations, this would be a site-specific problem at a registry. Although domain names can have a variety of uses of '-' characters, the presence of a '-' as both the third character and the fourth character is often recognized as a special case. Trying to specify xn--strae-oqa.de directly when seeking a registration is very different from trying to specify (for example) x--strae-oqa.de or xn-strae-oqa.de. Various other types of bugs (not necessarily security-relevant) have been reported for this general concept, e.g., see: https://framework.zend.com/issues/browse/ZF-6133 - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYHDHrAAoJEHb/MwWLVhi2lDEQALqezzjWHt+/S1xi8LoS/Bnm R+2pJxpHLUjYo4FMoQxUqZnZYyJ/NsGEIL3xwoS4Mr4r7JdhEIx6Ud6P++9Oavqd AiwvY1F9ZL3KtjGOZ2j5DLX78vm2HYaNyP/sMQSgY+hZIiR9PaR7PcDsSJpr7egE DXm8gnCIbvA+8TsJsRCOA2nKHjCKcQrWe16OYI7tehT4X1R7CE71u0T2aaOGZu8t GvMfTMU93evZwocrbgkinN351CC9z4hUnF0Tn56aHkYZMQyDCKseMlWjmBAQQXCY J/E03r2MKL823s7vG3d01cBsFBrxB/7JtvGXwPmDuTEoJfdCiRgjJoN3WzphJyFQ xcc7FTExJE3Y6Vk9l+7G2qrvHVppjNOaphKBKIUyzsnuT67oVPIqJAr1Qg9O8UFV ynluEUtNY7g8yVW9WFlR19paq9Kc4uHI6AIROAmGIjx/7Mi52s8CAR2Ce2QIAOXC jRh05Y1uaTaXxMCaH3zZC3Y6JlPkXnrh9C8OuzkVI954FxMwtWWnbhSuy/D8i01D BeY3YPcHwKtzhXS+bAhUCNl0ZWiYf879bwncCFArDk7HOnpD6Wq5I0dDajfRbMUR ugIgJmMVAfNmkdVhstFqPQtg/WOJ4BeqAB1x/iqu5Ow0bwiZzouum597ZsakwKPJ gSZTC7tJDeD5rTUINLaZ =ki00 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ