Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Aug 2017 15:04:09 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: nicolas.gregoire@...rri.fr
Subject: Re: CVE request: incorrect URL parsing in
 async-http-client <= 2.0.35

Hi Nicolas,

On Thu, Aug 31, 2017 at 02:06:34PM +0200, Nicolas Grégoire wrote:
> Hello,
> 
> a flaw was identified in the URL parsing code of async-http-client, a
> Java HTTP client used in other projects like the Play Framework
> (through its WS library):
> https://www.playframework.com/documentation/2.6.x/JavaWS
> 
> The bug is similar to CVE-2016-8624 affecting cURL (incorrect
> processing of string "#@" in the hostname):
> https://curl.haxx.se/docs/adv_20161102J.html
> 
> Version 2.0.35 of async-http-client includes a fix and is available
> through Maven since Monday. Relevant GitHub issue:
> https://github.com/AsyncHttpClient/async-http-client/issues/1455

CVEs cannot be requested anymore via the oss-security list.  Could you
please request the CVE via the form at https://cveform.mitre.org/ and
possibly keep us posted with a followup to this thread once the CVE
has been assigned?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ