Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201403121505.s2CF5kth015778@linus.mitre.org>
Date: Wed, 12 Mar 2014 11:05:46 -0400 (EDT)
From: cve-assign@...re.org
To: stbuehler@...httpd.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: lighttpd 1.4.34 SQL injection and path traversal CVE request

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I requested a CVE on distros, but Kurt wasn't sure whether one or
> multiple CVE ids should be assigned

The number of CVEs doesn't necessarily depend on the number of changes
that were required to address the reported attacks; instead, the
number of CVEs can depend on whether issues could have been fixed
independently. For example, the HTTP protocol specification doesn't
require that a server validate that the Host header has the expected
"host" or "host:port" syntax and otherwise send an error status code.
If that were required, then there would only be one CVE.

Here, the issues could have been fixed independently, e.g., SQL
injection fixed in mod_mysql_vhost.c, and then directory traversal
fixed in the mod_simple_vhost_docroot function in mod_simple_vhost.c
and the mod_evhost_parse_host function in mod_evhost.c. This could
conceivably have been chosen if someone wanted
mod_simple_vhost.c/mod_evhost.c to have access to the original string
(maybe anticipating that "Host: host/pathname" could become meaningful
for vhosts in a future HTTP protocol revision, or whatever).

So, there are two CVE assignments:

SQL injection - use CVE-2014-2323.
path traversal - use CVE-2014-2324.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTIHajAAoJEKllVAevmvmstNoH/1Dd2ejZGVReh2d9HVAM9Vun
jYHPRbLdIaZLPewt4OiMJkMWPR0XqMc3FZqucw3NUlnaGJ4iY+BxJoKn6e7Xelws
JBggVjdX+RMqPeRWNHNAyamPd80FZrOai5dil4QUG7Zv1L5nNV+jl8bUpQBw5nAj
zRM+insdgJVKtr7nR0mBKRLr84kZ1pU2A9uW2qWABl5/oScuC/pkdcOJYzTYEtUX
eSC3UPF2TIfhchrfmHKEeqi/wwQ3m3R2DyaWVAV5u9F/I5GzAVR7catxGCSN5Qd8
mml6VhYvIkpp03Y3Q3ZX18N3DELIOX/vfN5OYXxVf6Ab54rrj3I7G0xCTQ6JURM=
=TjxJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.