oss-sec mailing list archives
Re: CVE number needed for Varnish DoS, also heads-up
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 30 Oct 2013 10:12:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adding oss-security to cc as per http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html since it's public. On 10/30/2013 08:05 AM, Tollef Fog Heen wrote:
Hi Kurt, I'm being told by the Debian security team that they can't assign a CVE as there has been a public bug report about this issue, but that you can help. (https://www.varnish-cache.org/trac/ticket/1367 is the bug report) Can you please get me a CVE id? Thanks, - Tollef Fog Heen ]] Tollef Fog HeenHi, (Cc to varnish maintainer in Debian and Fedora) we've had a denial of service attack reported in Varnish. I believe we should get this fixed in stable (we're working on a patch), but I'd like a CVE # to go with the advisory. Draft advisory at http://etherpad.wikimedia.org/p/WnwRT4FH6e Regards, -- Tollef Fog Heen Technical lead | Varnish Software AS 📞: +47 21 98 92 64 We Make Websites Fly!
Please use CVE-2013-4484 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJScTADAAoJEBYNRVNeJnmTDqIQALHYdrKe6DwLSO53z/RhXApG iZbKmalHlO8SEoMP8DCW6ln20/eBIzn/vgNoBQUy8DSt2prnllaAjLpXtZkPwX0O ZG6DQOq79FeEGEHA5/3VN7gFYoFKYYYrPnfJGrQ//RmT1wh/IFJweOONWi0w686/ APfER2THBfe05jGEti6MB6JcV31S4VtEWNBqToasW7UInHqxuG2ryQsTMaiU/oXW FR29oTbRoBr8gPTOX5aroQuH9gO72WNcRQ1SXupQAfUYwyM/9Y2KrnYR5xDg8Uop n2A4ON2bqFxD0vmqod8SmB96FoTRzMemBTpqx4pCEEdEV2B9OVD7c+K3U5+6QFLP KoJc3hdHqZj2T98OZyVKfWFzkZPy/WHOX8pjgzgPmNR9syvufoe5zL9iox8HvSk6 1mhq5xpXL00wu4Z9V7DdiSKZUJ1zEWSukZy3gTrGIDDYpX6lkxtnLmIH3gaM3tvY v5QEYPwBsDagnxsslrt5gA8gE4Hf0j/b9AjGngK96SkN+77zkHo8qjAIR373w9/k SRXc4OFs2V0YB1rm4jV44X2hY2UbWN6631Hy60KZrknWkA6Ij/+lslZ4ShUK2LXt Gc512k/q6MrkguCesHCpTmWaHO+Q+HK9e+vkpoj8jnj+rNHFGyFL+jO4vXN2QuXk mBZpOoGORQnvfaSYBadq =cio8 -----END PGP SIGNATURE-----
Current thread:
- Re: CVE number needed for Varnish DoS, also heads-up Kurt Seifried (Oct 30)