oss-sec mailing list archives
Re: CVE request: Curl insecure usage
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 28 Nov 2012 13:45:26 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/26/2012 11:42 AM, Kurt Seifried wrote:
On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:Hi, during the triage of the SSL client bugs spotted by the http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian developer Alessandro Ghedini discovered two more applications using Curl in an insecure manner:1. opendnssec (in the eppclient tool) http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html
Please
use CVE-2012-5582 for opendnssec: insecure usage of curl
2. PHPcas (used by Moodle e.g.): https://github.com/Jasig/phpCAS/pull/58
Please use CVE-2012-5583 for phpCAS: insecure usage of curl
Please assign CVE IDs for these.Cheers, MoritzHave these been receiving individual CVE's? I can't find any offhand, can you provide examples of others?
Also can someone collate and post a list of all the other apps using curl insecurely and need CVE's with appropriate links to the upstreams/etc? Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQtnflAAoJEBYNRVNeJnmTZjEQALHwHy7eiJeTIs/CzryTWoYr 7Qc5vqpNWq+e2uvngFkZ/TcYZk5q3YMuvCpcGz/UFNAouTnxYWEScsbJ+zMtceP4 IuSAQepg4wogrAxXZdrhAUd7019yYP0u0tC6qR5wEJfFdIpJN3uhv4NGs30KT/dw fVdh4bckYiz1ql04p5V81nyGS0MUKv3ECYmxbK1gzW3OajyQjuLJpS2WgQJ7PRYm jgFR9BZjjQJ0GWA1jGJFCcCaYVrLZCtorktrGirO08FSvjYkhNIwglWicTv0bMpu RjH1SYD45CODB9UxkyNXLGdIow3OefWXONj5VRWRXdAvBXZVqn8r8mnAaftUndWw SY0n5479MuO4DuGv1uKplDhTU50AbYn5+HpmHXjgafocvQG+zCirLPV9uqaCt2ho irAIAcXZCOeVfkwI/UdwxTTWK0v5gHqNOognzOgOsdrksgN4TLHes5CWOJRxp4GB 5R9bLwmqtb9Ond4M7K3tHdeBcSuhwn+d3p8dL44zQz5kbw30aJsxyHnFZINZuh3B yKGjvgubjLtnZg7C0E+/iV2kBiDayx1Cq4j6TzwsQsR9G/vR24ZuBPh5UU6i2WoO RP41W47pcwg+8+wmLVNu8Xibb5Hot2s5anXNZYZJLk9ZshjLYYWzcelgD/AQHY4z FiLo5VCm2DuvCmBU1WNl =CTJs -----END PGP SIGNATURE-----
Current thread:
- CVE request: Curl insecure usage Moritz Muehlenhoff (Nov 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Fabian Keil (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Mühlenhoff (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Muehlenhoff (Dec 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Dec 27)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)