|
Message-Id: <201403121505.s2CF5kth015778@linus.mitre.org> Date: Wed, 12 Mar 2014 11:05:46 -0400 (EDT) From: cve-assign@...re.org To: stbuehler@...httpd.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: lighttpd 1.4.34 SQL injection and path traversal CVE request -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I requested a CVE on distros, but Kurt wasn't sure whether one or > multiple CVE ids should be assigned The number of CVEs doesn't necessarily depend on the number of changes that were required to address the reported attacks; instead, the number of CVEs can depend on whether issues could have been fixed independently. For example, the HTTP protocol specification doesn't require that a server validate that the Host header has the expected "host" or "host:port" syntax and otherwise send an error status code. If that were required, then there would only be one CVE. Here, the issues could have been fixed independently, e.g., SQL injection fixed in mod_mysql_vhost.c, and then directory traversal fixed in the mod_simple_vhost_docroot function in mod_simple_vhost.c and the mod_evhost_parse_host function in mod_evhost.c. This could conceivably have been chosen if someone wanted mod_simple_vhost.c/mod_evhost.c to have access to the original string (maybe anticipating that "Host: host/pathname" could become meaningful for vhosts in a future HTTP protocol revision, or whatever). So, there are two CVE assignments: SQL injection - use CVE-2014-2323. path traversal - use CVE-2014-2324. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTIHajAAoJEKllVAevmvmstNoH/1Dd2ejZGVReh2d9HVAM9Vun jYHPRbLdIaZLPewt4OiMJkMWPR0XqMc3FZqucw3NUlnaGJ4iY+BxJoKn6e7Xelws JBggVjdX+RMqPeRWNHNAyamPd80FZrOai5dil4QUG7Zv1L5nNV+jl8bUpQBw5nAj zRM+insdgJVKtr7nR0mBKRLr84kZ1pU2A9uW2qWABl5/oScuC/pkdcOJYzTYEtUX eSC3UPF2TIfhchrfmHKEeqi/wwQ3m3R2DyaWVAV5u9F/I5GzAVR7catxGCSN5Qd8 mml6VhYvIkpp03Y3Q3ZX18N3DELIOX/vfN5OYXxVf6Ab54rrj3I7G0xCTQ6JURM= =TjxJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.