oss-security - Re: CVE request: Apache Axis2 Session Fixation

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 6 Jul 2010 15:24:34 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: Apache Axis2 Session Fixation

I'm going to leave this one for MITRE too. The reproter and upstream
disagree, I'm not certain what the policy is in such cases.

Thanks.

-- 
    JB


----- "Matthias Weckbecker" <mweckbecker@...e.de> wrote:

> Hi,
> 
> there has recently been a Session Fixation vulnerability reported in
> Apache 
> Axis2, see:
> 
> References:
> https://issues.apache.org/jira/browse/AXIS2-4739
> http://www.securityfocus.com/archive/1/511955/30/30/threaded
> 
> There is already CVE-2010-2103 assigned for the Cross-Site Scripting
> mentioned 
> in the advisory above. However, there does not seem to be a CVE for
> the 
> Session Fixation flaw, so could you possibly assign one for it too?
> 
> Thanks!
> 
> ciao,
> Matthias
> 
> -- 
> Matthias Weckbecker, SUSE Security Team
> SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg   
> Tel: +49-911-74053-0;  http://www.opensuse.org/   
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.