oss-sec mailing list archives
Re: CVE request: Curl insecure usage
From: Fabian Keil <fk () fabiankeil de>
Date: Thu, 29 Nov 2012 11:06:20 +0100
Kurt Seifried <kseifried () redhat com> wrote:
On 11/26/2012 11:42 AM, Kurt Seifried wrote:On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:Hi, during the triage of the SSL client bugs spotted by the http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian developer Alessandro Ghedini discovered two more applications using Curl in an insecure manner:1. opendnssec (in the eppclient tool) http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.htmlPleaseuse CVE-2012-5582 for opendnssec: insecure usage of curl2. PHPcas (used by Moodle e.g.): https://github.com/Jasig/phpCAS/pull/58Please use CVE-2012-5583 for phpCAS: insecure usage of curl
Have these been receiving individual CVE's? I can't find any offhand, can you provide examples of others?Also can someone collate and post a list of all the other apps using curl insecurely and need CVE's with appropriate links to the upstreams/etc? Thanks.
Note that curl is the (unaffected) command line tool based on libcurl. The CVEs should probably refer to insecure usage of libcurl to prevent confusion. Fabian
Attachment:
signature.asc
Description:
Current thread:
- CVE request: Curl insecure usage Moritz Muehlenhoff (Nov 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Fabian Keil (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Mühlenhoff (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Muehlenhoff (Dec 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Dec 27)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)