Date: Thu, 31 Aug 2017 15:04:09 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: nicolas.gregoire@...rri.fr Subject: Re: CVE request: incorrect URL parsing in async-http-client <= 2.0.35 Hi Nicolas, On Thu, Aug 31, 2017 at 02:06:34PM +0200, Nicolas Grégoire wrote: > Hello, > > a flaw was identified in the URL parsing code of async-http-client, a > Java HTTP client used in other projects like the Play Framework > (through its WS library): > https://www.playframework.com/documentation/2.6.x/JavaWS > > The bug is similar to CVE-2016-8624 affecting cURL (incorrect > processing of string "#@" in the hostname): > https://curl.haxx.se/docs/adv_20161102J.html > > Version 2.0.35 of async-http-client includes a fix and is available > through Maven since Monday. Relevant GitHub issue: > https://github.com/AsyncHttpClient/async-http-client/issues/1455 CVEs cannot be requested anymore via the oss-security list. Could you please request the CVE via the form at https://cveform.mitre.org/ and possibly keep us posted with a followup to this thread once the CVE has been assigned? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ