Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 04 Apr 2012 10:41:02 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>,
        Filippo Cavallarin <filippo.cavallarin@...seq.it>
Subject: Re: CVE request: OSClass directory traversal vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/03/2012 02:43 AM, Henri Salo wrote:
> On Mon, Apr 02, 2012 at 11:45:12AM -0600, Kurt Seifried wrote:
>> The actual blog entry:
>> http://osclass.org/blog/2012/03/05/osclass-2-3-6/
>> 
>> doesn't mention anything about directory traversal. Do you have a
>> link on their site, or the commit showing the problem or the
>> fix?
>> 
>> -- Kurt Seifried Red Hat Security Response Team (SRT)
> 
> http://osclass.org/blog/2012/03/05/osclass-2-3-6/ "Special thanks
> to Filippo Cavallarin again for reporting a security vulnerability
> in combine.php file. If you’re using that file in your theme, I
> strongly recommend to update it. Please, remember to visit the wiki
> if you don’t know how to update OSClass."
> 
> Here is the diff:
> https://github.com/osclass/OSClass/commit/09aa689ae424dc2bec6f857e7179ae4afdbbd2a9#diff-4
>
> 
Full changelog: http://doc.osclass.org/Changelog
> 
> Fixed in 2.3.6.
> 
> - Henri Salo

Thanks Henri, that's exactly the kind of information CVE requests need =)

Please use CVE-2012-1617 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPfHmdAAoJEBYNRVNeJnmTyYgP/iqYXXfZRp1hnDZZwJPThFqC
CfV+eIaol1nzRZqYsyeeWFyXIM3IWOq8EKR15erAdQ4aQOt641SdE4QXysTc0FEd
WU+PdS7qOPDj4ToJ9aHQk+hyXJ+Dv7iae7C2i4dqT49CLPT6vPQvR5WpGDz9iNLg
OxB2lpPzXqPktiOLpqtSvQGsQfhs3cv3eWjU/XxpW9d/nTdnh2k968oVZAJ9NQo1
c+LY7S102i3JamQWKK2oEPHyG1qksM1PzPOAQxgpumuNbdbxW2z+jPEHlOk7csdD
7S757Pnw+zVJoMXmnLvLRjy5AhZ01OWMDXutAvfzuRLpTY+3hBO0M7eRA1HIOeWX
bdwhhXcdX6IgQalwEBpbIAiycMdoNagRIQg9rIaNtZUPKOaYEVKrivXM/djSGH51
FzoODhy8Q8wDFW16FSjy78CMtXu+t+jLON29QyZvRktf/XXatCf99iWHi3JNpKpj
dD+imFbYYaGXMCPR3fESsIw6IBH5JEa4zkrUMkKGsbwo7JHHkS4RRSzvC7nhsSsF
t4hawiAvgW/Ipe8gmkFSNZvhK+3AJqGall9xiIQuUkNBuEWgc/dazNuYQgMyC3ns
PzViz72meMUE1eMBTqIck18O3kPJe+C3IbdIpGd/niEzuCepYNt86h60Jxaokm+V
9iPDgi+3SkRsieKizSZ/
=4bO1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.