mailing list archives
Re: lighttpd 1.4.34 SQL injection and path traversal CVE request
From: cve-assign () mitre org
Date: Wed, 12 Mar 2014 11:05:46 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
I requested a CVE on distros, but Kurt wasn't sure whether one or
multiple CVE ids should be assigned
The number of CVEs doesn't necessarily depend on the number of changes
that were required to address the reported attacks; instead, the
number of CVEs can depend on whether issues could have been fixed
independently. For example, the HTTP protocol specification doesn't
require that a server validate that the Host header has the expected
"host" or "host:port" syntax and otherwise send an error status code.
If that were required, then there would only be one CVE.
Here, the issues could have been fixed independently, e.g., SQL
injection fixed in mod_mysql_vhost.c, and then directory traversal
fixed in the mod_simple_vhost_docroot function in mod_simple_vhost.c
and the mod_evhost_parse_host function in mod_evhost.c. This could
conceivably have been chosen if someone wanted
mod_simple_vhost.c/mod_evhost.c to have access to the original string
(maybe anticipating that "Host: host/pathname" could become meaningful
for vhosts in a future HTTP protocol revision, or whatever).
So, there are two CVE assignments:
SQL injection - use CVE-2014-2323.
path traversal - use CVE-2014-2324.
CVE assignment team, MITRE CVE Numbering Authority
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
-----END PGP SIGNATURE-----