Hallo Carsten Many thanks for the heads-up, but I am not entirely sure what to do about it. As far as I know all issues were fixed latest by 2.8. I find it questionable when people open CVEs for (sometimes much) earlier versions, and without informing us about it.
To make it clear: there was one issue with unconstrained log messages, which was fixed in the 1.x series. The issue mentioned in the CVEs you listed is not really a problem, but rather a question of RFC interpretation: when Pound received both a Content-Length and a Transfer-Encoding header it honoured only the first of them and removed the second, rather than rejecting the request entirely. Hardly request smuggling. On Wed, 2020-06-17 at 23:43 +0200, Carsten Leonhardt wrote: > Hi Robert, > > FYI, in case you didn't get notification, I just noticed > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21245 > > Apparently someone recently read your announcement for pound 2.8 > mentioning the fix for CVE-2016-10711 without actually putting > "CVE-2016-10711" into the text and opened a new CVE about it. > > Regards, > > Carsten > -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- pound mailing list [email protected] https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
