|
Message-ID: <50F4B68C.4030200@redhat.com> Date: Mon, 14 Jan 2013 18:53:16 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Vincent Danen <vdanen@...hat.com> Subject: Re: CVE request: 3 DoS conditions in Rake -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2013 05:20 PM, Vincent Danen wrote: > Three issues were noted in recent release of upstream Rake. All > are DoS issues. > > From https://bugzilla.redhat.com/show_bug.cgi?id=895277 (2 > issues): > > Upstream released [1] Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a > denial of service condition when Rack parses content with a > certain Content-Disposition header as noted in the original report > [2]. > > This has been fixed in git [3]. Please use CVE-2012-6109 for this issue (fixed in Rack 1.4.2 and so on) > Additionally, a second flaw that was fixed in 1.4.4, 1.3.9, 1.2.7, > and 1.1.5 was also announced [4] that creates a minor denial of > service condition, this time in the Rack::Auth::AbstractRequest, > where it symbolized arbitrary strings (apparently this has > something to do with authentication, but there is no further > information provided other than the fix [5] itself, which is noted > as "a breaking API change"). Please use CVE-2013-0184 for this issue (fixed in Rack 1.4.4 and so on) > [1] http://rack.github.com/ [2] > https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ > > [3] > https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e > > [4] > https://groups.google.com/forum/#!topic/rack-devel/ImYOqcGiksw/discussion > > [5] > https://github.com/rack/rack/commit/0c76175fcccad74ba2f991c487d3669c28a297c8 ===================== > > And from https://bugzilla.redhat.com/show_bug.cgi?id=895282: > > Upstream released [1] Rack 1.4.3 and 1.3.8 to fix a denial of > service condition due to a malicious client sending excessively > long lines that trigger an out-of-memory error in Rack. > > This has been fixed in git [2]. Please use CVE-2013-0183 for this issue (fixed in Rack 1.4.3 and so on) > [1] > https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI/discussion > > [2] > https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18 Please > use CVE-2012-6109 for this issue (fixed in Rack 1.4.2, released in 2012 so 2012 CVE) > > > > Could three CVEs be assigned for these issues please? Thanks. > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ9LaMAAoJEBYNRVNeJnmTmV0P/ihQNH1ta7ju4e5QvkhV2AQT k+AlM+tyrS8lIFQ5ywrydnKUPemm/LSh3mFyMnqG2JxYR4B9aooC86VBoR8il/wF a3UJv4nlmqOCXY4v+px7YoCcsIUK5saf5NGTsdCG3oej+d2xgpiVdVvZoD9dx9Ih RN42/KhPJzGE+s/Mi5DTz2IVVG/s1Egu7UlEM8ySwWyHCLQhIITccidR54dwbla5 ATOAx23WDeVTG35vvgMPXVZUgzHl6fg2n027ZTQrLABuYZ7dDKM5aspI1f2lLPoc bli6bIveH2XPoMME+E39gYcWktF5E+Mocoks1QlAzULJOZiABZKj5lnVE41mbFOm 2oUljrZ0b2LWwXMAnfCW6xzWDUFmFiUe/Yu8AS/6X4uPSJ9Wrkq6arOjzm6sEEP+ 7efhPvPnY/zPDzOJAAG+ggGvBxKd1iWWzimg1pMwrXyEuEwWSnxlfTguWGRqC1f0 CBFsLqdMUgY4+DxyJYhZCfnhYzUjve1fPBLm/U6ADDxvWliNVFyyW8QXAHNYOUG4 /3NIKWYhMt/9clV7DtdV38w5/sp+uHdooPAKhpv2ZZ7n/M1mEBlfjHoG0+OPfYVh jJcxfaF08gM67XaT6poyRzsna7kTZbCmUotMFuPKfHxq/ikuKEF53NEG0ahFa4Kh tucpKur4ikJaT5hMixng =n42W -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.