Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Nov 2012 13:45:26 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE request: Curl insecure usage

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/26/2012 11:42 AM, Kurt Seifried wrote:
> On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:
>> Hi, during the triage of the SSL client bugs spotted by the 
>> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian 
>> developer Alessandro Ghedini discovered two more applications
>> using Curl in an insecure manner:
> 
>> 1. opendnssec (in the eppclient tool) 
>> http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html

Please
>> 
use CVE-2012-5582 for opendnssec: insecure usage of curl

>> 2. PHPcas (used by Moodle e.g.): 
>> https://github.com/Jasig/phpCAS/pull/58

Please use CVE-2012-5583 for phpCAS: insecure usage of curl

>> Please assign CVE IDs for these.
> 
>> Cheers, Moritz
> 
> 
> Have these been receiving individual CVE's? I can't find any
> offhand, can you provide examples of others?

Also can someone collate and post a list of all the other apps using
curl insecurely and need CVE's with appropriate links to the
upstreams/etc? Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQtnflAAoJEBYNRVNeJnmTZjEQALHwHy7eiJeTIs/CzryTWoYr
7Qc5vqpNWq+e2uvngFkZ/TcYZk5q3YMuvCpcGz/UFNAouTnxYWEScsbJ+zMtceP4
IuSAQepg4wogrAxXZdrhAUd7019yYP0u0tC6qR5wEJfFdIpJN3uhv4NGs30KT/dw
fVdh4bckYiz1ql04p5V81nyGS0MUKv3ECYmxbK1gzW3OajyQjuLJpS2WgQJ7PRYm
jgFR9BZjjQJ0GWA1jGJFCcCaYVrLZCtorktrGirO08FSvjYkhNIwglWicTv0bMpu
RjH1SYD45CODB9UxkyNXLGdIow3OefWXONj5VRWRXdAvBXZVqn8r8mnAaftUndWw
SY0n5479MuO4DuGv1uKplDhTU50AbYn5+HpmHXjgafocvQG+zCirLPV9uqaCt2ho
irAIAcXZCOeVfkwI/UdwxTTWK0v5gHqNOognzOgOsdrksgN4TLHes5CWOJRxp4GB
5R9bLwmqtb9Ond4M7K3tHdeBcSuhwn+d3p8dL44zQz5kbw30aJsxyHnFZINZuh3B
yKGjvgubjLtnZg7C0E+/iV2kBiDayx1Cq4j6TzwsQsR9G/vR24ZuBPh5UU6i2WoO
RP41W47pcwg+8+wmLVNu8Xibb5Hot2s5anXNZYZJLk9ZshjLYYWzcelgD/AQHY4z
FiLo5VCm2DuvCmBU1WNl
=CTJs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.