Home page logo

oss-sec logo oss-sec mailing list archives

More CVEs? (was Re: [oss-security] [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision)
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 29 Dec 2011 13:13:42 +0100

Am Wed, 28 Dec 2011 19:07:30 +0100
schrieb Andrea Barisani <lcars () ocert org>:

Affected version:
Java, all versions
JRuby <= 1.6.5
PHP <= 5.3.8, <= 5.4.0RC3
Python, all versions
Rubinius, all versions
Ruby <= 1.8.7-p356

Apache Geronimo, all versions
Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
Oracle Glassfish <= 3.1.1
Jetty, all versions
Plone, all versions
Rack, all versions
V8 JavaScript Engine, all versions

Fixed version:
Java, N/A
JRuby >=
PHP >= 5.3.9, >= 5.4.0RC4
Python, N/A
Rubinius, N/A
Ruby >= 1.8.7-p357, 1.9.x

Apache Geronimo, N/A
Apache Tomcat >= 5.5.35, >= 6.0.35, >= 7.0.23
Oracle Glassfish, N/A (Oracle reports that the issue is fixed in the
main codeline and scheduled for a future CPU) Jetty, N/A
Plone, N/A
Rack, N/A
V8 JavaScript Engine, N/A

Credit: vulnerability report and PoC code received from Alexander
Klink <alexander.klink AT nruns.com> and Julian Waelde <jwaelde AT

CVE: CVE-2011-4461 (Jetty), CVE-2011-4838 (JRuby), CVE-2011-4885
(PHP), CVE-2011-4462 (Plone), CVE-2011-4815 (Ruby)

Kurt or other CVE assigners, can you please assign a bunch for python,
java, tomcat etc. pp.

Hanno Böck              mail/jabber: hanno () hboeck de
GPG: BBB51E42           http://www.hboeck.de/

Attachment: signature.asc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]