oss-security - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Wed, 12 Dec 2018 17:36:40 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: Salva Peiró <speirofr@...il.com>
Cc: oss-security@...ts.openwall.com, security@...ian.org
Subject: Re: CVE Request: mini-httpd (<= v1.30) is affected by a response
 discrepancy information exposure (CWE-204)

Hi,

On Wed, Dec 12, 2018 at 04:27:02PM +0100, Salva Peiró wrote:
> Hi everyone,
> 
> The mini-httpd daemon (version <= v1.30) shipped in Debian/Ubuntu from [1]
> is affected by a response discrepancy information exposure (CWE-204) that
> enables an attacker to remotely enumerate valid htpasswd usernames (RFC
> 7617).
> 
> A more detailed advisory can be found at:
> https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190
> 
> Is there a CVE for this? If not, could one be assigned, please?

Can you request a CVE directly via https://cveform.mitre.org/ ?

Regards,
Salvatore

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.