|
Message-ID: <20181212163640.GA22617@eldamar.local> Date: Wed, 12 Dec 2018 17:36:40 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: Salva Peiró <speirofr@...il.com> Cc: oss-security@...ts.openwall.com, security@...ian.org Subject: Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Hi, On Wed, Dec 12, 2018 at 04:27:02PM +0100, Salva Peiró wrote: > Hi everyone, > > The mini-httpd daemon (version <= v1.30) shipped in Debian/Ubuntu from [1] > is affected by a response discrepancy information exposure (CWE-204) that > enables an attacker to remotely enumerate valid htpasswd usernames (RFC > 7617). > > A more detailed advisory can be found at: > https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190 > > Is there a CVE for this? If not, could one be assigned, please? Can you request a CVE directly via https://cveform.mitre.org/ ? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.