Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 12 May 2012 11:40:40 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: micah anderson <micah@...eup.net>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE request: sympa (try again)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/12/2012 09:27 AM, micah anderson wrote:
> On Fri, 11 May 2012 23:58:33 -0600, Kurt Seifried
> <kseifried@...hat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 05/11/2012 12:03 PM, micah wrote:
>>> 
>>> Hi,
>>> 
>>> Please assign a CVE for Sympa, any version prior to 6.1.11. It
>>> is possible to open the archive management ("arc_manage") page
>>> for any list, even those set to only be available to members,
>>> giving anyone the option to download the archive, or delete the
>>> archive.
>>> 
>>> http://www.sympa.org/distribution/latest-stable/NEWS 
>>> https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358

Please
>>> 
use CVE-2012-2352 for this issue.


>>> thank you, micah
>>> 
>>> ps - for some reason the previous message is formatted strange,
>>> so I'm sending this one without the signature
>>> 
>> 
>> Ok I see this one and several more:
>> 
>> ================================
>> 
>> 6.1.11		May 11, 2012 Bug fixes: [7358] wwsympa/wwsympa.fcgi.in:
>> Fixing a potential security issue related to archives
>> 
>> Can you confirm these and I will assign CVE's for the outstanding
>> issues.
> 
> I am only able to confirm the above issue, I am not a sympa
> developer I just was involved in the above issue.

Ok I will assign one for the above.

> What sort of 'confirmation' are you looking for? It seems like the 
> changelog entries are pretty good confirmation. Perhaps you are
> looking for more details of the issues, those you could obtain from
> the sympa list.

Ideally links to code commits like you included in your request =).

> 
> micah


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPrqCUAAoJEBYNRVNeJnmTPwsQALprGRr5jh+S8wpr07iyE5Cl
HUJ9nwiG4odTZQfelpbEsicnozB3r5DiI1tWIa9gXJHMEiczYA8SfqDYcGD4AnBu
YhW3u7UyRrXlkEM8Yr5lQKynoTERkuninY7jsAwp9M1mzzjzv2uy9PEjQflnxkNG
/N7ZBKykn/oNV3CGMT5+rtzCYwVUpygvr8cBQwK+WXKEJ+RQk+RS8h0cDb94krCi
he4bNZVE/Y10p18L9n+SbhfdNrO4Sbk8GiPurTurs7SrZWh0JD8Lm+UITkx2vKg1
42NtRap3o63Zm0Zv1E+lWeM0htO2Cy27A5vWDUprSB7U3yCtaUMIuPijfzmcwjDv
ekoky5OYS/KRs+VFti+VtAM1pQllJcHu9MvzSBKmq39cC0+/nmygqjxTTVDcaMRB
cneg4A9RL2UxehnastMRqtkOwk7W08AqallDHOTH6tQrDRT0rE1x85sHjdtY7P/0
jwRA9wRnik+Qov4p6W6l20a0KktW/vhI9Z8GjxOJVG5qxHW39Cgyj79P4hLi5g+G
tKnVkacl74ZZ/WtzgpY4Q1pHDA3mvYLPlCrumh44wt+LCm1i1ckm+jmJzpxhTlm9
R4/yvtbEJkETSEm8VmpHPapqmA+DDwvICHBMERbeMEYzN5WFKRY8754kVBQSs2L4
LXwLGYWEaBVjm493VZCL
=w6V5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ