oss-sec mailing list archives
Re: CVE request: Curl insecure usage
From: Moritz Mühlenhoff <jmm () inutil org>
Date: Thu, 29 Nov 2012 22:44:36 +0100
On Wed, Nov 28, 2012 at 01:45:26PM -0700, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/26/2012 11:42 AM, Kurt Seifried wrote:On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:Hi, during the triage of the SSL client bugs spotted by the http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian developer Alessandro Ghedini discovered two more applications using Curl in an insecure manner:1. opendnssec (in the eppclient tool) http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.htmlPleaseuse CVE-2012-5582 for opendnssec: insecure usage of curl2. PHPcas (used by Moodle e.g.): https://github.com/Jasig/phpCAS/pull/58Please use CVE-2012-5583 for phpCAS: insecure usage of curlPlease assign CVE IDs for these.Cheers, MoritzHave these been receiving individual CVE's? I can't find any offhand, can you provide examples of others?Also can someone collate and post a list of all the other apps using curl insecurely and need CVE's with appropriate links to the upstreams/etc? Thanks.
There are some, which are potentially affected, but where discussion with upstream is still pending. Shall we go ahead and post them or do you prefer to have them sorted out with upstream first? Cheers, Moritz
Current thread:
- CVE request: Curl insecure usage Moritz Muehlenhoff (Nov 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Fabian Keil (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Mühlenhoff (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Muehlenhoff (Dec 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Dec 27)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)