oss-security - Re: pure-ftpd STARTTLS command injection / new CVE?

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20110411171917.GL714@dojo.mi.org>
Date: Mon, 11 Apr 2011 13:19:17 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: pure-ftpd STARTTLS command injection / new CVE?

:http://www.pureftpd.org/project/pure-ftpd/news
:
:states that pure-ftpd is affected by the same STARTTLS
:injection bug as postifx's CVE-2011-0411.
:
:Is this CVE postfix-specific or can it be used for
:pure-ftpd as well? If needed, can someone assign a new CVE?

It should get its own CVE assignment.  Other products with the
same STARTTLS issue have gotten unique CVE assignments for them
-- see CVE-2011-143[012].

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"You can't destroy everything.  Where would you sit?"               -The Tick

Content of type "application/pgp-signature" skipped

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.