oss-sec mailing list archives
Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host
From: <cve-assign () mitre org>
Date: Fri, 4 Nov 2016 03:10:21 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
translated into `strasse.de` using IDNA 2003 but is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those host names could very well resolve to different addresses and be two completely independent servers.
Maybe MITRE (or somebody else) could share their thoughts about this, too?
In some situations, this would be a site-specific problem at a registry. Although domain names can have a variety of uses of '-' characters, the presence of a '-' as both the third character and the fourth character is often recognized as a special case. Trying to specify xn--strae-oqa.de directly when seeking a registration is very different from trying to specify (for example) x--strae-oqa.de or xn-strae-oqa.de. Various other types of bugs (not necessarily security-relevant) have been reported for this general concept, e.g., see: https://framework.zend.com/issues/browse/ZF-6133 - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYHDHrAAoJEHb/MwWLVhi2lDEQALqezzjWHt+/S1xi8LoS/Bnm R+2pJxpHLUjYo4FMoQxUqZnZYyJ/NsGEIL3xwoS4Mr4r7JdhEIx6Ud6P++9Oavqd AiwvY1F9ZL3KtjGOZ2j5DLX78vm2HYaNyP/sMQSgY+hZIiR9PaR7PcDsSJpr7egE DXm8gnCIbvA+8TsJsRCOA2nKHjCKcQrWe16OYI7tehT4X1R7CE71u0T2aaOGZu8t GvMfTMU93evZwocrbgkinN351CC9z4hUnF0Tn56aHkYZMQyDCKseMlWjmBAQQXCY J/E03r2MKL823s7vG3d01cBsFBrxB/7JtvGXwPmDuTEoJfdCiRgjJoN3WzphJyFQ xcc7FTExJE3Y6Vk9l+7G2qrvHVppjNOaphKBKIUyzsnuT67oVPIqJAr1Qg9O8UFV ynluEUtNY7g8yVW9WFlR19paq9Kc4uHI6AIROAmGIjx/7Mi52s8CAR2Ce2QIAOXC jRh05Y1uaTaXxMCaH3zZC3Y6JlPkXnrh9C8OuzkVI954FxMwtWWnbhSuy/D8i01D BeY3YPcHwKtzhXS+bAhUCNl0ZWiYf879bwncCFArDk7HOnpD6Wq5I0dDajfRbMUR ugIgJmMVAfNmkdVhstFqPQtg/WOJ4BeqAB1x/iqu5Ow0bwiZzouum597ZsakwKPJ gSZTC7tJDeD5rTUINLaZ =ki00 -----END PGP SIGNATURE-----
Current thread:
- [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host cve-assign (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 04)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Kristian Fiskerstrand (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)