oss-sec mailing list archives
Re: CVE Request: SquidClamav insufficient escaping flaws
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Fri, 24 Aug 2012 20:59:04 -0400 (EDT)
On Thu, 16 Aug 2012, Sean Amoss wrote:
The upstream notification [1] shows SquidClamav 5.8 and 6.7 fixes a URL escaping issue which could lead to a daemon crash [2]. SquidClamav 5.8 also fixes escaping issues in CGI scripts [3]. References: [1] http://squidclamav.darold.net/news.html [2] https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00 [3] https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b [4] https://bugs.gentoo.org/show_bug.cgi?id=428778
It appears that [3] is an XSS issue, so this needs a separate CVE because it's a different type of encoding problem than [2].
Use CVE-2012-4667 for the XSS. - Steve
Current thread:
- CVE Request: SquidClamav insufficient escaping flaws Sean Amoss (Aug 16)
- Re: CVE Request: SquidClamav insufficient escaping flaws Kurt Seifried (Aug 16)
- Re: CVE Request: SquidClamav insufficient escaping flaws Steven M. Christey (Aug 24)