Re: [libmicrohttpd] [PATCH] Check response existence on upgrade

libmicrohttpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] [PATCH] Check response existence on upgrade

From:	José Bollo
Subject:	Re: [libmicrohttpd] [PATCH] Check response existence on upgrade
Date:	Fri, 5 May 2017 10:23:13 +0200

On Thu, 4 May 2017 23:36:23 +0300
Evgeny Grin <address@hidden> wrote:

> Thanks! Applied.
> 

Hello Evgeny,

After thinking about the issue, I guess that it is a serious
vulnerability.

I guess that a simple curl request to a server running 0.52 or 0.53 can
raise the SEGV.

IMHO if 

 curl http://www.myserver.org/path-to-404

returns a 404 error

 curl -H "Connection: Upgrade" http://www.myserver.org/path-to-404

would raise the issue.

I'll let you conclude but a CVE is probably a good idea.

Best regards
José

[Prev in Thread]

Current Thread

[Next in Thread]

[libmicrohttpd] [PATCH] Check response existence on upgrade, José Bollo, 2017/05/04
- Re: [libmicrohttpd] [PATCH] Check response existence on upgrade, Evgeny Grin, 2017/05/04
  - Re: [libmicrohttpd] [PATCH] Check response existence on upgrade, José Bollo <=

Prev by Date: Re: [libmicrohttpd] [PATCH] Check response existence on upgrade
Next by Date: Re: [libmicrohttpd] How to close all upgraded connections when shutting down MHD_Daemon?
Previous by thread: Re: [libmicrohttpd] [PATCH] Check response existence on upgrade
Next by thread: [libmicrohttpd] issue with suspend/resume
Index(es):
- Date
- Thread