Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201401201605.s0KG5iI2015317@linus.mitre.org>
Date: Mon, 20 Jan 2014 11:05:44 -0500 (EST)
From: cve-assign@...re.org
To: pinkbyte@...too.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Cantata vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://code.google.com/p/cantata/issues/detail?id=356

Use CVE-2013-7300 for the lack of restrictions on the set of files
available through the web server, i.e., an absolute path traversal
vulnerability.

Use CVE-2013-7301 for the default configuration in which the external
network interface is used with no access control for reading queued
music files.

These could have been fixed independently. For example, fixing only
CVE-2013-7300 means that a remote attacker could read "private" song
data (but that might be irrelevant in some situations on a network
within a home). Fixing only CVE-2013-7301 means that local users could
read arbitrary files (but that might be irrelevant on a single-user
system).

The other issues mentioned in id=356 are probably best considered
suggestions for security improvement (e.g., availability of an HTTP
service in fewer circumstances, defaulting to the lo interface, better
access control, additional build options, etc.).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS3UglAAoJEKllVAevmvmslR4IALRpqiR6R6K8mUuqeEDhnzKV
TY4cY6E5sRbpM4jCLKKSlTX6eLFuOEP0yXJfnyAr5opGTslmecfCTVuvTxa9u7E5
KHviH9Qlinzt31BnxNvXJPntIRHr87YVPYPvHNeBMVcVyl3Z9tRMBngGn7pXfPh3
3ILDISHeKtbGrSO/7PycIxqEJuNgaU0sckcp2NGYkMDNF6fjLdKak+nGHSA8tvML
ssvGayQ2EUcfSEWUdltDR8omDcTKEAR8w86Bpu1usf0mOczh15bn9rJNb/BjLQIH
Wx2EyVeuDVrOftmdK4IzqchfrEsvKmJOKA8ZiyG1XY9n7n7T8iKjjeCvHwOQM6o=
=Arrv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.