Date: Sat, 12 May 2012 11:40:40 -0600 From: Kurt Seifried <kseifried@...hat.com> To: micah anderson <micah@...eup.net> CC: oss-security@...ts.openwall.com Subject: Re: CVE request: sympa (try again) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2012 09:27 AM, micah anderson wrote: > On Fri, 11 May 2012 23:58:33 -0600, Kurt Seifried > <kseifried@...hat.com> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 05/11/2012 12:03 PM, micah wrote: >>> >>> Hi, >>> >>> Please assign a CVE for Sympa, any version prior to 6.1.11. It >>> is possible to open the archive management ("arc_manage") page >>> for any list, even those set to only be available to members, >>> giving anyone the option to download the archive, or delete the >>> archive. >>> >>> http://www.sympa.org/distribution/latest-stable/NEWS >>> https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358 Please >>> use CVE-2012-2352 for this issue. >>> thank you, micah >>> >>> ps - for some reason the previous message is formatted strange, >>> so I'm sending this one without the signature >>> >> >> Ok I see this one and several more: >> >> ================================ >> >> 6.1.11 May 11, 2012 Bug fixes:  wwsympa/wwsympa.fcgi.in: >> Fixing a potential security issue related to archives >> >> Can you confirm these and I will assign CVE's for the outstanding >> issues. > > I am only able to confirm the above issue, I am not a sympa > developer I just was involved in the above issue. Ok I will assign one for the above. > What sort of 'confirmation' are you looking for? It seems like the > changelog entries are pretty good confirmation. Perhaps you are > looking for more details of the issues, those you could obtain from > the sympa list. Ideally links to code commits like you included in your request =). > > micah - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPrqCUAAoJEBYNRVNeJnmTPwsQALprGRr5jh+S8wpr07iyE5Cl HUJ9nwiG4odTZQfelpbEsicnozB3r5DiI1tWIa9gXJHMEiczYA8SfqDYcGD4AnBu YhW3u7UyRrXlkEM8Yr5lQKynoTERkuninY7jsAwp9M1mzzjzv2uy9PEjQflnxkNG /N7ZBKykn/oNV3CGMT5+rtzCYwVUpygvr8cBQwK+WXKEJ+RQk+RS8h0cDb94krCi he4bNZVE/Y10p18L9n+SbhfdNrO4Sbk8GiPurTurs7SrZWh0JD8Lm+UITkx2vKg1 42NtRap3o63Zm0Zv1E+lWeM0htO2Cy27A5vWDUprSB7U3yCtaUMIuPijfzmcwjDv ekoky5OYS/KRs+VFti+VtAM1pQllJcHu9MvzSBKmq39cC0+/nmygqjxTTVDcaMRB cneg4A9RL2UxehnastMRqtkOwk7W08AqallDHOTH6tQrDRT0rE1x85sHjdtY7P/0 jwRA9wRnik+Qov4p6W6l20a0KktW/vhI9Z8GjxOJVG5qxHW39Cgyj79P4hLi5g+G tKnVkacl74ZZ/WtzgpY4Q1pHDA3mvYLPlCrumh44wt+LCm1i1ckm+jmJzpxhTlm9 R4/yvtbEJkETSEm8VmpHPapqmA+DDwvICHBMERbeMEYzN5WFKRY8754kVBQSs2L4 LXwLGYWEaBVjm493VZCL =w6V5 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ