1
Candidate: CVE-2009-4488
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4488
6
** DISPUTED ** Varnish 2.0.6 writes data to a log file without sanitizing
7
non-printable characters, which might allow remote attackers to modify a
8
window's title, or possibly execute arbitrary commands or overwrite files,
9
via an HTTP request containing an escape sequence for a terminal emulator.
10
NOTE: the vendor disputes the significance of this report, stating that
11
"This is not a security problem in Varnish or any other piece of software
12
which writes a logfile. The real problem is the mistaken belief that you
13
can cat(1) a random logfile to your terminal safely."
16
jdstrand> if this is a problem, it is with the terminal
17
mdeslaur> CVE is disputed, marking as ignored
24
upstream_varnish: needs-triage
26
hardy_varnish: ignored (reached end-of-life)
27
intrepid_varnish: needs-triage (reached end-of-life)
28
jaunty_varnish: ignored (reached end-of-life)
29
karmic_varnish: ignored (reached end-of-life)
30
lucid_varnish: ignored (reached end-of-life)
31
maverick_varnish: ignored (reached end-of-life)
32
natty_varnish: ignored (reached end-of-life)
33
oneiric_varnish: ignored (reached end-of-life)
34
precise_varnish: ignored (reached end-of-life)
35
precise/esm_varnish: DNE (precise was needs-triage)
36
quantal_varnish: ignored (reached end-of-life)
37
raring_varnish: ignored (reached end-of-life)
38
saucy_varnish: ignored (reached end-of-life)
39
trusty_varnish: ignored
40
utopic_varnish: ignored (reached end-of-life)
41
vivid_varnish: ignored (reached end-of-life)
42
vivid/stable-phone-overlay_varnish: DNE
43
vivid/ubuntu-core_varnish: DNE
44
wily_varnish: ignored (reached end-of-life)
45
xenial_varnish: ignored
46
yakkety_varnish: ignored (reached end-of-life)
47
zesty_varnish: ignored
48
devel_varnish: ignored