Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Aug 2017 15:04:09 +0200
From: Salvatore Bonaccorso <>
Subject: Re: CVE request: incorrect URL parsing in
 async-http-client <= 2.0.35

Hi Nicolas,

On Thu, Aug 31, 2017 at 02:06:34PM +0200, Nicolas Grégoire wrote:
> Hello,
> a flaw was identified in the URL parsing code of async-http-client, a
> Java HTTP client used in other projects like the Play Framework
> (through its WS library):
> The bug is similar to CVE-2016-8624 affecting cURL (incorrect
> processing of string "#@" in the hostname):
> Version 2.0.35 of async-http-client includes a fix and is available
> through Maven since Monday. Relevant GitHub issue:

CVEs cannot be requested anymore via the oss-security list.  Could you
please request the CVE via the form at and
possibly keep us posted with a followup to this thread once the CVE
has been assigned?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ