Date: Mon, 3 May 2010 16:14:16 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: Henri Salo <henri@...v.fi> Cc: oss-security@...ts.openwall.com, bressers@...hat.com, coley <coley@...re.org> Subject: Re: CVE request: lxr Just to clarify, two XSS bugs were fixed with a single release (new version 0.9.8), and then ten days later, an update was included to resolve a third XSS bug. The original CVE was originally requested for "multiple XSS vulnerabilities", but the description only covers one of them. -Dan On Mon, May 3, 2010 at 1:49 PM, Henri Salo <henri@...v.fi> wrote: > On Mon, 3 May 2010 13:34:05 -0400 (EDT) > Josh Bressers <bressers@...hat.com> wrote: > >> ----- "Henri Salo" <henri@...v.fi> wrote: >> >> > On Mon, 3 May 2010 09:31:16 -0400 >> > Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: >> > >> > > I discovered and reported this bug at the same time as two other >> > > XSS issues, including the one covered by CVE-2009-4497. While >> > > the commit may be a few days apart for some of these, I think >> > > they can safely fall under the same CVE, unless it's standard >> > > practice to assign CVEs for each of several related minor issues. >> > >> > Several XSS-vulnerabilities can have one CVE at least when those >> > vulnerabilities are fixed at the same time. >> > >> >> In this instance, I would assign it a new ID, as the old one already >> exists and doesn't note both XSS fixes (it is possible someone fixed >> just the one XSS and not both in an update). >> >> I've CC'd Steve Christey, for a second opinion. >> >> Thanks > > My sentence was for normal cases. I have seen several reports with > multiple XSS-vulnerabilities. This usually is the case when someone > audits web-applications. > > If the issue already has CVE-identifier already we should > definately assign new CVE for clarity. > > --- > Henri Salo >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ