oss-sec mailing list archives

Re: CVE requests / advisory: cxxtools <= 2.2, Tntnet <= 2.2

From: cve-assign () mitre org
Date: Sat, 18 Jan 2014 06:16:10 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Affected software: cxxtools
Description: By sending a crafted HTTP query parameter containing two
percent signs in a row, URL parsing would enter an infinite recursive
loop, leading to a crash. This allows a remote attacker to DOS the
server.
Affected versions: current releases (<= 2.2)
Fixed in version: 2.2.1
Fix: https://github.com/maekitalo/cxxtools/commit/142bb2589dc184709857c08c1e10570947c444e3
Release notes: http://www.tntnet.org/download/cxxtools-2.2.1/Releasenotes-2.2.1.markdown


Use CVE-2013-7298.

Affected software: Tntnet
Description: By sending a crafted HTTP request that uses "\n" to end
its headers instead of the expected "\r\n", it is possible that
headers from a previous unrelated request will seemingly be appended
to the crafted request (due to a missing null termination). This
allows a remote attacker to use sensitive headers from other users'
requests in their own requests, such as cookies or HTTP authentication
credentials.
Affected versions: current releases  (<= 2.2)
Fixed in version: 2.2.1
Fix: https://github.com/maekitalo/tntnet/commit/9bd3b14042e12d84f39ea9f55731705ba516f525
and https://github.com/maekitalo/tntnet/commit/9d1a859e28b78bfbf769689454b529ac7709dee4
Release notes: http://www.tntnet.org/download/tntnet-2.2.1/Releasenotes-2.2.1.markdown


Use CVE-2013-7299.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS2mEZAAoJEKllVAevmvmsAuAH/j2glwHNt4bzFqxhBOYOdxtM
+qY/LOuyX24aHDi9JASGeedm+kmVnRMqQXept4M+tNGdJo+vwgnQkV2HtQhdrZWB
cWwowS2+7FEbdJ/HXPfrmHDLS8vfWdMeQ1SzkXctnQeti+/jYnBMVC61Lr2boNBn
478zDHV6h9FV8xnZZFRS5+j3/UGtJOqWzKhZgvDZBLaAHLbut9+vFuCKImvaq0iZ
S6j/x1u/ZoBZ0vpkub2UGzhhiEylmSEGe/+WAORqzdiS4ey8rbbrCaaZcgY3QePg
v2MUn/VFpPlhM3CZRokNq96h+BqQGQ/c4yr5phtfH0weZtGicxUmP6zMUcbH87M=
=KsAd
-----END PGP SIGNATURE-----

Current thread:

CVE requests / advisory: cxxtools <= 2.2, Tntnet <= 2.2 Matthew Daley (Jan 17)
- Re: CVE requests / advisory: cxxtools <= 2.2, Tntnet <= 2.2 Henri Salo (Jan 18)
  - Re: CVE requests / advisory: cxxtools <= 2.2, Tntnet <= 2.2 Matthew Daley (Jan 18)
- Re: CVE requests / advisory: cxxtools <= 2.2, Tntnet <= 2.2 cve-assign (Jan 18)