oss-sec mailing list archives
CVE-2014-6271 first patch and remote exploit via CGI
From: Reed Black <reed () unsafeword org>
Date: Thu, 25 Sep 2014 07:50:26 -0700
In the press, there are contrary statements about the initial patches[1] posted by Florian Weimer. A user on Twitter posted[2] that the patch was incomplete. There is agreement on that much. Where I see different responses is on whether the first patch can still be exploited remotely via the CGI vector outlined in Florian's initial post, and what damage can still be done. I haven't seen a proof of concept yet, but I also haven't seen a trusted voice give a definitive statement that it can't be abused. Could anyone lay out what's still possible for a remote attacker via CGI with only the first patch applied? [1] http://seclists.org/oss-sec/2014/q3/650 [2] http://www.openwall.com/lists/oss-security/2014/09/24/33
Current thread:
- CVE-2014-6271 first patch and remote exploit via CGI Reed Black (Sep 25)
- Re: CVE-2014-6271 first patch and remote exploit via CGI Michal Zalewski (Sep 25)