Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 May 2010 16:14:16 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: Henri Salo <henri@...v.fi>
Cc: oss-security@...ts.openwall.com, bressers@...hat.com, 
	coley <coley@...re.org>
Subject: Re: CVE request: lxr

Just to clarify, two XSS bugs were fixed with a single release (new
version 0.9.8), and then ten days later, an update was included to
resolve a third XSS bug.  The original CVE was originally requested
for "multiple XSS vulnerabilities", but the description only covers
one of them.

-Dan

On Mon, May 3, 2010 at 1:49 PM, Henri Salo <henri@...v.fi> wrote:
> On Mon, 3 May 2010 13:34:05 -0400 (EDT)
> Josh Bressers <bressers@...hat.com> wrote:
>
>> ----- "Henri Salo" <henri@...v.fi> wrote:
>>
>> > On Mon, 3 May 2010 09:31:16 -0400
>> > Dan Rosenberg <dan.j.rosenberg@...il.com> wrote:
>> >
>> > > I discovered and reported this bug at the same time as two other
>> > > XSS issues, including the one covered by CVE-2009-4497.  While
>> > > the commit may be a few days apart for some of these, I think
>> > > they can safely fall under the same CVE, unless it's standard
>> > > practice to assign CVEs for each of several related minor issues.
>> >
>> > Several XSS-vulnerabilities can have one CVE at least when those
>> > vulnerabilities are fixed at the same time.
>> >
>>
>> In this instance, I would assign it a new ID, as the old one already
>> exists and doesn't note both XSS fixes (it is possible someone fixed
>> just the one XSS and not both in an update).
>>
>> I've CC'd Steve Christey, for a second opinion.
>>
>> Thanks
>
> My sentence was for normal cases. I have seen several reports with
> multiple XSS-vulnerabilities. This usually is the case when someone
> audits web-applications.
>
> If the issue already has CVE-identifier already we should
> definately assign new CVE for clarity.
>
> ---
> Henri Salo
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ