Date: Mon, 8 Jun 2015 17:34:55 -0400 (EDT) From: cve-assign@...re.org To: mcatanzaro@...lia.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugs.webkit.org/show_bug.cgi?id=145542 > Complaint: "Apparently it seems that even when configured to use Tor > as proxy, epiphany is so "smart" to send DNS queries directly to the > wire, thus making any effort of Tor useless." > Note: This is not really exploitable per se and it's public in three > downstream bugtrackers, so no point in trying to hide this -> public > intentionally. > All reviewed patches have been landed. We're not sure that this can be considered a vulnerability fix; it seems more like a feature addition. The platformProxyIsEnabledInSystemPreferences "return false" code seems to mean that the the product's development status was that ascertaining a proxy setting was an unimplemented capability, and therefore any proxy-specific DNS behavior was an unimplemented feature. Admittedly, never making direct DNS queries during proxy use may be the new preferred behavior in this product. However, sometimes people want to make direct DNS queries during proxy use. For example, suppose that a company requires all outbound HTTP requests to go through a proxy server at the company's headquarters office. However, branch offices can make outbound DNS queries from their own networks, possibly in other countries. Some DNS servers respond with different A records based on an estimate of the geographical location of the DNS client (or did historically). These different A records may ultimately be useful in obtaining HTTP responses that are more geographically appropriate for a branch office. Some web pages possibly related to how DNS should work with a proxy: https://www.chromium.org/developers/design-documents/network-stack/socks-proxy https://bugzilla.mozilla.org/show_bug.cgi?id=134105 https://trac.torproject.org/projects/tor/ticket/5741 There could be a CVE ID if a product were specifically trying to detect a proxy setting (in order to avoid direct DNS in that case) but failing because of a coding error. There typically can't be a CVE ID for addition of new code to satisfy a requested behavior change. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVdgk1AAoJEKllVAevmvmsaCcH/0fjW1seLtzPcRTOXVSWOsUO rzlRBh+ci0g+GTdQTHsCmEQAIbvs0s582TblHh6ks4deNR5rNGDR81W63leQxSi0 PBNclQMnHbJCTN5AjJy89OIxzx++lwcCnazccfWdXEZcSGtm1vA1TJptP17Cb9LQ w+2ZfzhLKVPJ90zL+LiEN/VaHo8FzFFUWfLvzJnKQFRQMiWfTByQS/J4yezWsRE+ cqEsr+5ZLxcDlpQSQFlhNG/BEKKt/byzJrkUzXz6OKGwnbwamMalv9CuCa7fcPQT /ukwm7sG1x/xucaMKVVTz7WGZ89vA1fxS/VxLyJCaxbqGBrqhvSmaKSdegLU9ic= =Mg5H -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.