Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Dec 2010 10:55:33 -0800
From: Reed Loden <reed@...dloden.com>
To: Mark Stosberg <mark@...mersault.com>
Cc: oss-security <oss-security@...ts.openwall.com>, Jan Lieskovsky
 <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>,
 Marcela Maslanova <mmaslano@...hat.com>, Petr Pisar <ppisar@...hat.com>,
 Chris 'BinGOs' Williams <chris@...gosnet.co.uk>, Masahiro Yamada
 <masa141421356@...il.com>, Byron Jones <glob@...b.com.au>, Lincoln Stein
 <lincoln.stein@...il.com>
Subject: Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id
 (CVE-2010-3172 already assigned for Bugzilla part)

On Wed, 01 Dec 2010 13:39:14 -0500
Mark Stosberg <mark@...mersault.com> wrote:

> >     2. Further improvements to handling of newlines embedded in header
> > values.
> >        An exception is thrown if header values contain invalid newlines.
> >        Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> >        Lincoln Stein, Frederic Buclin and Mark Stosberg
> > 
> >        Chris, Mark, could you please provide more details about the
> > issue? Is it
> >        related to CVE-2010-3172?
> 
> Yes, it is. However, later testing found that the issue wasn't
> completely fixed in 3.50. A new patch has been developed, and is
> currently pending review and acceptance by the primary CGI.pm author,
> Lincoln Stein. (Now CC'ed).
> 
> >        Steve, could you please allocate CVE id for this? (id #2)

Mozilla already allocated CVE-2010-2761 to this part for the perl-CGI
issue.

~reed
Mozilla Security Group

-- 
Reed Loden
reed@...dloden.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ