Re: CVE-2015-0881

[Kurt Seifried <kseifried () redhat com>]

So for those of us vendors/etc that need to backport security fixes
and/or confirm our software is fixed how are we supposed to do this?

How long will the patch/attack information be embargoed for?

Also why has this been covered up for over 5 years and is now still a
secret? I'm very confused and I have some grave concerns about how
JVN/upstream is handling this.

On 28/02/15 09:16 PM, Amos Jeffries wrote:
> On 24/02/2015 4:34 a.m., Kurt Seifried wrote:
> > Regarding CVE-2015-0881
>
> > http://jvn.jp/en/jp/JVN64455813/index.html 
> > http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.html
>
>
> JPCERT has now provided me a copy of the attack. They have requested I
> not reveal the details, so I am treating that and the patch details as
> embargoed for the time being.
>
> Without revealing too much (I hope) I can confirm:
>
> * It is a known vulnerability
>  - to upstream that is, but no CVE assigned.
>
> * The initial report of this issue to upstream occured during 2009.
>
> * Squid 1.x, 2.x, and 3.0 releases are all vulnerable.
>
> * All Squid-3.1 stable releases are not vunerable.
>  - eg, you can bump the fixed version number back to 3.1.1 for most OS
> distributions.
>
>
> For the record; there is now FALSE information floating around in some
> CVE-2015-0881 "copies" about it being about CRLF issues. The Cisco
> report came to my attention first, but they are not alone.
>
> To all those people cut-n-pasting blurb text from CWE-113 in place of
> the JPCERT description: please dont do that. There are multiple "HTTP
> response splitting" attack vectors which have nothing to do with the
> (current) CWE-113 description. This is one of those cases.
>
> HTH
>
> Amos Jeffries
> Squid Software Foundation

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature