Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20150416065530.E268E6C0016@smtpvmsrv1.mitre.org>
Date: Thu, 16 Apr 2015 02:55:30 -0400 (EDT)
From: cve-assign@...re.org
To: fungi@...goth.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...erpad.org
Subject: Re: CVE Request for incomplete fix to CVE-2015-3297 in Etherpad Minify

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> An anonymous reporter pointed out an incomplete fix to CVE-2015-3297
> in the minify feature of current Etherpad releases. There is an
> additional location in the script where backslashes are replaced
> with slashes in the path parameter of HTTP API calls after path
> normalization is applied, allowing an attacker supplying a slightly
> different specially-crafted request to remotely read arbitrary files
> 
> https://github.com/ether/etherpad-lite/commit/0fa7650df8f940ed6b577d79836a78eb09726c4b

Use CVE-2015-3309.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVL1xzAAoJEKllVAevmvmsqWEH/2N77rp93iqfKbhqgMi2Ew+U
QP3tcg0pJoDbU3nJYLLhmcYtYyVa/2epCub3NXy+VuG6cRxORQiVVtlNPHOChf7Z
chb5DP7CRYIAD99mCQ+QZwWCaSfqf3ZqaL9t8ZVw+YvYwPnOUKpAQsOo6MqG1SNR
WOp9n3iE2kD8E7VbvKeFx8TlOEcsU1lEGxX+vHEVepJxnk3++sa6n0JFzv2vHKiU
KWLPLybUETGB7mPNfKXKImvU+RfXeQ+1yl6KevtPlYMElq5Rxt+FJCBqQNDSW7VU
ZWEBGB43J8T6QCNVTNFOkP6LJoXXjcOySHAk4wfWrJRm9EEVrUGk1M60PKJ4PdA=
=zRWw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.