Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <40eb0cc31307456c8bd21fa16e044f90@imshyb02.MITRE.ORG>
Date: Fri, 4 Nov 2016 03:10:21 -0400
From: <cve-assign@...re.org>
To: <robert@...oraproject.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>,
	<daniel@...x.se>
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> translated into `strasse.de` using IDNA 2003 but
>> is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
>> host names could very well resolve to different addresses and be two
>> completely independent servers.

> Maybe
> MITRE (or somebody else) could share their thoughts about this, too?

In some situations, this would be a site-specific problem at a
registry. Although domain names can have a variety of uses of '-'
characters, the presence of a '-' as both the third character and the
fourth character is often recognized as a special case. Trying to
specify xn--strae-oqa.de directly when seeking a registration is very
different from trying to specify (for example) x--strae-oqa.de or
xn-strae-oqa.de.

Various other types of bugs (not necessarily security-relevant) have
been reported for this general concept, e.g., see:

  https://framework.zend.com/issues/browse/ZF-6133

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYHDHrAAoJEHb/MwWLVhi2lDEQALqezzjWHt+/S1xi8LoS/Bnm
R+2pJxpHLUjYo4FMoQxUqZnZYyJ/NsGEIL3xwoS4Mr4r7JdhEIx6Ud6P++9Oavqd
AiwvY1F9ZL3KtjGOZ2j5DLX78vm2HYaNyP/sMQSgY+hZIiR9PaR7PcDsSJpr7egE
DXm8gnCIbvA+8TsJsRCOA2nKHjCKcQrWe16OYI7tehT4X1R7CE71u0T2aaOGZu8t
GvMfTMU93evZwocrbgkinN351CC9z4hUnF0Tn56aHkYZMQyDCKseMlWjmBAQQXCY
J/E03r2MKL823s7vG3d01cBsFBrxB/7JtvGXwPmDuTEoJfdCiRgjJoN3WzphJyFQ
xcc7FTExJE3Y6Vk9l+7G2qrvHVppjNOaphKBKIUyzsnuT67oVPIqJAr1Qg9O8UFV
ynluEUtNY7g8yVW9WFlR19paq9Kc4uHI6AIROAmGIjx/7Mi52s8CAR2Ce2QIAOXC
jRh05Y1uaTaXxMCaH3zZC3Y6JlPkXnrh9C8OuzkVI954FxMwtWWnbhSuy/D8i01D
BeY3YPcHwKtzhXS+bAhUCNl0ZWiYf879bwncCFArDk7HOnpD6Wq5I0dDajfRbMUR
ugIgJmMVAfNmkdVhstFqPQtg/WOJ4BeqAB1x/iqu5Ow0bwiZzouum597ZsakwKPJ
gSZTC7tJDeD5rTUINLaZ
=ki00
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.