Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Nov 2016 03:10:21 -0400
From: <cve-assign@...re.org>
To: <robert@...oraproject.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>,
	<daniel@...x.se>
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> translated into `strasse.de` using IDNA 2003 but
>> is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
>> host names could very well resolve to different addresses and be two
>> completely independent servers.

> Maybe
> MITRE (or somebody else) could share their thoughts about this, too?

In some situations, this would be a site-specific problem at a
registry. Although domain names can have a variety of uses of '-'
characters, the presence of a '-' as both the third character and the
fourth character is often recognized as a special case. Trying to
specify xn--strae-oqa.de directly when seeking a registration is very
different from trying to specify (for example) x--strae-oqa.de or
xn-strae-oqa.de.

Various other types of bugs (not necessarily security-relevant) have
been reported for this general concept, e.g., see:

  https://framework.zend.com/issues/browse/ZF-6133

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYHDHrAAoJEHb/MwWLVhi2lDEQALqezzjWHt+/S1xi8LoS/Bnm
R+2pJxpHLUjYo4FMoQxUqZnZYyJ/NsGEIL3xwoS4Mr4r7JdhEIx6Ud6P++9Oavqd
AiwvY1F9ZL3KtjGOZ2j5DLX78vm2HYaNyP/sMQSgY+hZIiR9PaR7PcDsSJpr7egE
DXm8gnCIbvA+8TsJsRCOA2nKHjCKcQrWe16OYI7tehT4X1R7CE71u0T2aaOGZu8t
GvMfTMU93evZwocrbgkinN351CC9z4hUnF0Tn56aHkYZMQyDCKseMlWjmBAQQXCY
J/E03r2MKL823s7vG3d01cBsFBrxB/7JtvGXwPmDuTEoJfdCiRgjJoN3WzphJyFQ
xcc7FTExJE3Y6Vk9l+7G2qrvHVppjNOaphKBKIUyzsnuT67oVPIqJAr1Qg9O8UFV
ynluEUtNY7g8yVW9WFlR19paq9Kc4uHI6AIROAmGIjx/7Mi52s8CAR2Ce2QIAOXC
jRh05Y1uaTaXxMCaH3zZC3Y6JlPkXnrh9C8OuzkVI954FxMwtWWnbhSuy/D8i01D
BeY3YPcHwKtzhXS+bAhUCNl0ZWiYf879bwncCFArDk7HOnpD6Wq5I0dDajfRbMUR
ugIgJmMVAfNmkdVhstFqPQtg/WOJ4BeqAB1x/iqu5Ow0bwiZzouum597ZsakwKPJ
gSZTC7tJDeD5rTUINLaZ
=ki00
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ