oss-sec mailing list archives
Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)
From: Reed Loden <reed () reedloden com>
Date: Wed, 1 Dec 2010 10:55:33 -0800
On Wed, 01 Dec 2010 13:39:14 -0500 Mark Stosberg <mark () summersault com> wrote:
2. Further improvements to handling of newlines embedded in header values. An exception is thrown if header values contain invalid newlines. Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux Lincoln Stein, Frederic Buclin and Mark Stosberg Chris, Mark, could you please provide more details about the issue? Is it related to CVE-2010-3172?Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed).Steve, could you please allocate CVE id for this? (id #2)
Mozilla already allocated CVE-2010-2761 to this part for the perl-CGI issue. ~reed Mozilla Security Group -- Reed Loden reed () reedloden com
Current thread:
- CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Jan Lieskovsky (Dec 01)
- Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Mark Stosberg (Dec 01)
- Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Reed Loden (Dec 01)
- Re: Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Ludwig Nussel (Dec 16)
- Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part) Mark Stosberg (Dec 01)