oss-sec mailing list archives
Re: CVE-2015-0881
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 02 Mar 2015 00:08:12 -0700
So for those of us vendors/etc that need to backport security fixes and/or confirm our software is fixed how are we supposed to do this? How long will the patch/attack information be embargoed for? Also why has this been covered up for over 5 years and is now still a secret? I'm very confused and I have some grave concerns about how JVN/upstream is handling this. On 28/02/15 09:16 PM, Amos Jeffries wrote:
On 24/02/2015 4:34 a.m., Kurt Seifried wrote:Regarding CVE-2015-0881http://jvn.jp/en/jp/JVN64455813/index.html http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.htmlJPCERT has now provided me a copy of the attack. They have requested I not reveal the details, so I am treating that and the patch details as embargoed for the time being. Without revealing too much (I hope) I can confirm: * It is a known vulnerability - to upstream that is, but no CVE assigned. * The initial report of this issue to upstream occured during 2009. * Squid 1.x, 2.x, and 3.0 releases are all vulnerable. * All Squid-3.1 stable releases are not vunerable. - eg, you can bump the fixed version number back to 3.1.1 for most OS distributions. For the record; there is now FALSE information floating around in some CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco report came to my attention first, but they are not alone. To all those people cut-n-pasting blurb text from CWE-113 in place of the JPCERT description: please dont do that. There are multiple "HTTP response splitting" attack vectors which have nothing to do with the (current) CWE-113 description. This is one of those cases. HTH Amos Jeffries Squid Software Foundation
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2015-0881 Kurt Seifried (Feb 21)
- Re: CVE-2015-0881 C Peters (Feb 21)
- Re: CVE-2015-0881 Kurt Seifried (Feb 21)
- Re: CVE-2015-0881 Amos Jeffries (Feb 22)
- Re: CVE-2015-0881 Kurt Seifried (Feb 23)
- Re: CVE-2015-0881 Amos Jeffries (Feb 28)
- Re: CVE-2015-0881 Kurt Seifried (Mar 01)
- Re: CVE-2015-0881 Amos Jeffries (Mar 06)
- Re: CVE-2015-0881 Kurt Seifried (Feb 23)
- Re: CVE-2015-0881 Jerome Athias (Feb 28)
- Re: CVE-2015-0881 C Peters (Feb 21)