Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 19 Nov 2008 11:07:45 -0800
From: Kees Cook <kees@...ntu.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...re.org>
Subject: CVE request: CUPS DoS via RSS subscriptions

Hello!

I'd like to get a CVE assigned for the RSS subscription DoS mentioned
here[1].  It seems that CUPS upstream already fixed[2] the issue[3] in
their 1.3.8 release.  Prior to 1.3.8, the server can be made to crash
when visiting a malicious website due to CUPS general CSRF issues.

Thanks,

-Kees

[1] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241
    http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
[2] http://www.cups.org/strfiles/2774/str2774.patch
[3] http://www.cups.org/str.php?L2774

-- 
Kees Cook
Ubuntu Security Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux