Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Mar 2012 21:30:58 -0400
From: Mark Stanislav <mark.stanislav@...il.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Requests

#1,2,3 are all included

#4, each project is linked to where the code (both vulnerable and/or fixed)
lives

#5...
phpMoneyBooks, 1.0.2 and potentially prior versions
phpGradeBook, 1.9.4 and potentially prior versions
phpPaleo, 4.8b155 and potentially prior versions
hbportal, 0.1 and potentially prior versions
eticketing, no version numbering used *shrug*

#6 An e-mail was sent to cve@...re.org 7 days ago without response
#7 All open source
#8 Not embargoed

I think that should do it.

-Mark

On Thu, Mar 15, 2012 at 8:22 PM, Kurt Seifried <kseifried@...hat.com> wrote:

> On 03/15/2012 01:18 PM, Mark Stanislav wrote:
> > Howdy,
> >
> > I was looking to receive CVEs for the following...
> >
> > 1) phpMoneyBooks (http://phpmoneybooks.com/) has an unauthenticated
> local
> > file inclusion (LFI) vulnerability
> > * Notified, Response Received, and Patch Released
> >
> > 2) phpGradeBook (http://phpgradebook.com/) has unauthenticated SQL
> Database
> > Exportation
> > * Notified, Response Received, and Patch Released
> >
> > 3) phpPaleo (http://sourceforge.net/projects/phppaleo/) has an
> > unauthenticated local file inclusion (LFI) vulnerability
> > * Notified, Response Received, and Patch Released
> >
> > 4) hbportal (http://sourceforge.net/projects/hbportal/) has a POST-based
> > SQL injection vulnerability
> > * Notified
> >
> > 5) e-ticketing (http://sourceforge.net/projects/e-ticketing/) has a
> > POST-based SQL injection vulnerability
> > * Notified & Response Received
> >
> > Thanks!
> >
> > -Mark
> >
> Removed the "no" this time to avoid ambiguity=)
>
> More info would be helpful. Some draft guidelines:
>
> Information for CVE request, REQUIRED:
>
> 1) Email address of requester (so we can contact them)
> 2) Software name and optionally vendor name
> 3) At least one of (to determine is this a security issue):
>  1. Type of vulnerability
>  2. Exploitation vectors
>  3. Attack outcome
> 4) For Open Source at least one of:
>  1. Link to vulnerable source code or fix
>  2. Link to source code change log
>  3. Link to security advisory
>  4. Link to bug entry
>  5. Request comes from project member (a.k.a. "trust me, it's a problem")
> 5) Affected version(s) (3.2.4, 3.x, current version, all current
> releases, something)
> 6) Whether or not this has been previously requested (i.e. on OSS-Sec or
> to cve-assign)
> 7) Is this an Open Source or commercial software request
> 8) Is this an embargoed issue (if yes and commercial: send to
> cve-assign, if yes and open source: send to vs-sec?)
> 9) IF multiple issues are listed please list affected versions for each
> issue and/or who reported them (so we can determine CVE split/merge).
>
> Information for CVE request, REQUESTED:
>
> 1) More of the above information of course
> 2) Software version(s) fixed (if available)
> 3) For closed source any of the information from "For Open Source at
> least one of:"
> 4) Any additional information
>
>
> --
>
> -- Kurt Seifried / Red Hat Security Response Team
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ