Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Mar 2012 17:28:16 -0600
From: Greg Knaddison <>
To: Kurt Seifried <>
Subject: Re: Re: [security] Drupal CORE and Drupal Contrib

Thanks, Kurt. These are all updated now.

We have a new Drupal 7 core release planned for March 28th that will
likely include some issues. I will mail you March 26th with
descriptions of any issues that we plan to release on the 28th. This
fact is public in our community but I don't expect you to have seen
the news.


On Mon, Mar 19, 2012 at 12:33 PM, Kurt Seifried <> wrote:
> On 03/16/2012 04:40 PM, Greg Knaddison wrote:
>> Hi Kurt,
>> We started considering associating CVEs with our Security Advisories
>> (SAs) in September of 2011. At the time we discussed it with Josh
>> Bressers, Jan Lieskovsky, Steven M. Christey and decided that it would
>> only be practical to do it for Drupal core for now and we could
>> considering doing it for contrib in the future. Since that discussion
>> there has only been one SA for Drupal core which I think has the CVEs
>> on it: SA-CORE-2012-001 - Drupal core multiple vulnerabilities -
>> Is there another SA for core that I'm not considering? Is there a
>> better way to list the CVE numbers?
>> There have been several SAs for contributed modules and we would
>> gladly update them with CVEs. If you can send an email with a link to
>> the SA and the CVE-id to use that would be great.
> Ok starting with core:
> SA-CORE-2011-003 - Drupal core - Access bypass
> This was already assigned CVE-2011-2726
> SA-CORE-2011-002 - Drupal core - Access bypass
> This was already assigned CVE-2011-2687
> SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities
> Can't find any CVE's, do they need to be assigned?
> --
> Kurt Seifried Red Hat Security Response Team (SRT)

Director Security Services | +1-720-310-5623
Skype: greg.knaddison | |

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ