Date: Thu, 6 May 2010 14:24:05 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: lxr Sorry for not making this explicitly clear. There are three issues: 1. XSS in the ident parameter, as described in CVE-2009-4497. 2. XSS that is reflected via the search results page after issuing a search. 3. XSS that is reflected via the <title> tag on the search page, as described in Raphael's original e-mail a few days ago, which Josh just assigned CVE-2010-1448. Bugs 1 and 2 were fixed simultaneously, as indicated in the 2010-01-05 changelog entry for LXR: 2010-01-05 18:00 mbox * ident, search: Fix for CVE-2009-4497 from Dan Rosenberg Avoid a XSS vulnerability Bug 3 was fixed a few days later on 2010-01-15, as indicated by: 2010-01-15 23:23 mbox * lib/LXR/Common.pm: Fix XSS exploit in title string So, while my original intent at the time of disclosure was to have a single CVE identifier assigned to cover all three of these issues, that obviously did not happen. As it stands, bugs 1 and 3 have their own CVE identifiers, and bug 2 remains unassigned. -Dan On Thu, May 6, 2010 at 2:11 PM, Steven M. Christey <coley@...us.mitre.org> wrote: > > On Mon, 3 May 2010, Henri Salo wrote: > >> On Mon, 3 May 2010 09:31:16 -0400 >> Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: >> >> Several XSS-vulnerabilities can have one CVE at least when those >> vulnerabilities are fixed at the same time. > > Another factor is when they are published at the same time. > >> Can someone verify what is the policy by the book? > > It's never as easy as just a couple rules, unfortunately. In this case, > CVE-2009-4497 has been around for a long time, so it's strongly attached to > *only* the "i" parameter/ident issue. It's too risky to change the > fundamental meaning of a CVE after it's been published. (So even though the > intention of Dan's original request may have been to cover other issues, > that's not what it looks like to the public any more.) > > Josh assigned CVE-2010-1448 for the search page issue, and now Dan has > alluded to a third issue that is neither ident nor search page, but we don't > know what that third issue is. > > If Dan's issue is what he calls "a third XSS bug" in > http://www.openwall.com/lists/oss-security/2010/05/03/7 then I'd want a > different CVE for it - since it's addressed in a separate "version" than the > other two XSS bugs. > > The crux of the problem here is that the original bug report alluded to > "several" XSS but only listed the ident issue; our CVE description typically > might say "multiple XSS, for example this particular vector," but we didn't > do that... and neither does the vendor specifically indicate that the other > vaguely-specified issues were actually addressed. > > - Steve >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ