Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Curl insecure usage
From: Fabian Keil <fk () fabiankeil de>
Date: Thu, 29 Nov 2012 11:06:20 +0100

Kurt Seifried <kseifried () redhat com> wrote:

On 11/26/2012 11:42 AM, Kurt Seifried wrote:
On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:
Hi, during the triage of the SSL client bugs spotted by the 
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian 
developer Alessandro Ghedini discovered two more applications
using Curl in an insecure manner:

1. opendnssec (in the eppclient tool) 
http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html

Please

use CVE-2012-5582 for opendnssec: insecure usage of curl

2. PHPcas (used by Moodle e.g.): 
https://github.com/Jasig/phpCAS/pull/58

Please use CVE-2012-5583 for phpCAS: insecure usage of curl

Have these been receiving individual CVE's? I can't find any
offhand, can you provide examples of others?

Also can someone collate and post a list of all the other apps using
curl insecurely and need CVE's with appropriate links to the
upstreams/etc? Thanks.

Note that curl is the (unaffected) command line tool based on libcurl.
The CVEs should probably refer to insecure usage of libcurl to prevent
confusion.

Fabian

Attachment: signature.asc
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]