Date: Wed, 1 Dec 2010 10:55:33 -0800 From: Reed Loden <reed@...dloden.com> To: Mark Stosberg <mark@...mersault.com> Cc: oss-security <oss-security@...ts.openwall.com>, Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Marcela Maslanova <mmaslano@...hat.com>, Petr Pisar <ppisar@...hat.com>, Chris 'BinGOs' Williams <chris@...gosnet.co.uk>, Masahiro Yamada <masa141421356@...il.com>, Byron Jones <glob@...b.com.au>, Lincoln Stein <lincoln.stein@...il.com> Subject: Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) On Wed, 01 Dec 2010 13:39:14 -0500 Mark Stosberg <mark@...mersault.com> wrote: > > 2. Further improvements to handling of newlines embedded in header > > values. > > An exception is thrown if header values contain invalid newlines. > > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > > Lincoln Stein, Frederic Buclin and Mark Stosberg > > > > Chris, Mark, could you please provide more details about the > > issue? Is it > > related to CVE-2010-3172? > > Yes, it is. However, later testing found that the issue wasn't > completely fixed in 3.50. A new patch has been developed, and is > currently pending review and acceptance by the primary CGI.pm author, > Lincoln Stein. (Now CC'ed). > > > Steve, could you please allocate CVE id for this? (id #2) Mozilla already allocated CVE-2010-2761 to this part for the perl-CGI issue. ~reed Mozilla Security Group -- Reed Loden reed@...dloden.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ