Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Aug 2012 14:18:48 -0600
From: Greg Knaddison <greg.knaddison@...uia.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, Joshua Brauer <joshua.brauer@...uia.com>
Subject: Re: CVE Request for Drupal contributed modules

I've now updated these keeping in mind the followup e-mails by Henri
and Steven about some duplicates and some additional values that
needed to be assigned.

We are currently behind on 17 advisories that are on drupal.org but do
not yet have a CVE. I asked the team if anyone else wanted to take
over the process of requesting and updating advisories with CVEs.
Joshua Brauer (cc'd here) has agreed to take this over as of August
15th.

For completeness, CVE-2012-2922 was recently assigned to a path
disclosure issue in Drupal 7.14 that was fixed in Drupal 7.15.  The
Drupal Security Team's opinion is that it's a php configuration
mistake to display these kinds of errors to the screen and therefore
Drupal 7.15 was not marked as a security update and did not get a
security advisory. We're opinion to alternate opinions on the issue if
someone has a case why this should be considered a security issue in
Drupal.

Regards,
Greg

On Wed, Jun 13, 2012 at 10:32 PM, Kurt Seifried <kseifried@...hat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Apologies for the delay in CRUPAL SA-CONTRIB CVE assignments, here's
> the current batch:
>
>
> CVE-2012-2699 SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)
> CVE-2012-2700 SA-CONTRIB-2012-074 - Contact Forms - Access Bypass
> CVE-2012-2701 SA-CONTRIB-2012-075 - Take Control - Cross Site Request
> Forgery (CSRF)
> CVE-2012-2702 SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass
> CVE-2012-2703 SA-CONTRIB-2012-077 - Advertisement - Cross Site
> Scripting & Information Disclosure - XSS
> CVE-2012-2704 SA-CONTRIB-2012-077 - Advertisement - Cross Site
> Scripting & Information Disclosure - Information Disclosure
> CVE-2012-2705 SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site
> Scripting (XSS)
> CVE-2012-2706 SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site
> Scripting (XSS) and Access Bypass - Unsupported
> CVE-2012-2707 SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass
> and Cross Site Scripting (XSS) - access bypass
> CVE-2012-2708 SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass
> and Cross Site Scripting (XSS) - XSS
> CVE-2012-2709 SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting
> CVE-2012-2710 SA-CONTRIB-2012-082 - Zen - Cross Site Scripting
> CVE-2012-2711 SA-CONTRIB-2012-083 - Taxonomy List - Cross Site
> Scripting (XSS)
> CVE-2012-2712 SA-CONTRIB-2012-084 - Search API - Cross Site Scripting
> (XSS)
> CVE-2012-2713 SA-CONTRIB-2012-085 - BrowserID - Multiple
> Vulnerabilities - CSRF
> CVE-2012-2714 SA-CONTRIB-2012-085 - BrowserID - Multiple
> Vulnerabilities - BrowserID login theft
> CVE-2012-2715 SA-CONTRIB-2012-086 - Amadou - Cross Site Scripting
> CVE-2012-2716 SA-CONTRIB-2012-087 - Comment Moderation - Cross Site
> Request Forgery
> CVE-2012-2717 SA-CONTRIB-2012-088 - Mobile Tools - Cross Site
> Scripting (XSS)
> CVE-2012-2718 SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)
> CVE-2012-2719 SA-CONTRIB-2012-090 - File depot - Session Management
> Vulnerability
> CVE-2012-2720 SA-CONTRIB-2012-091 - Token Authentication - Access bypass
> CVE-2012-2721 SA-CONTRIB-2012-092 - Organic Groups - Cross Site
> Scripting (XSS) and Access Bypass
> CVE-2012-2722 SA-CONTRIB-2012-093 - Node Embed - Access Bypass
> CVE-2012-2723 SA-CONTRIB-2012-094 - Maestro module - Cross Site
> Request Forgery (CSRF), Cross Site Scripting (XSS)
> CVE-2012-2724 SA-CONTRIB-2012-095 - Simplenews - Information Disclosure
> CVE-2012-2725 SA-CONTRIB-2012-096 - Authoring HTML - Cross Site
> Scripting (XSS)
> CVE-2012-2726 SA-CONTRIB-2012-097 - Protest - Cross Site Scripting (XSS)
> CVE-2012-2727 SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect
> CVE-2012-2728 SA-CONTRIB-2012-099 - Node Hierarchy - Cross Site
> Request Forgery (CSRF)
> CVE-2012-2729 SA-CONTRIB-2012-100 - SimpleMeta - Cross Site Request
> Forgery (CSRF)
> CVE-2012-2730 SA-CONTRIB-2012-101 - Protected Node - Access Bypass
> CVE-2012-2731 SA-CONTRIB-2012-102 - Ubercart AJAX Cart - Potential
> Disclosure of user Session ID
> CVE-2012-2732 SA-CONTRIB-2012-103 - Global Redirect - Open Redirect
>
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJP2U0rAAoJEBYNRVNeJnmTvmYQAIPqLmDYtoOZ0qvQwnJ2D3ZG
> CfGfstBLRTrlEkhSMiEHLztjBCUEnsBz8hvFZ1vA3dBkWuvw4BLBHaONHJ/GZES8
> lMpdVh/1nP0AwqYSOloHjvHOZlI57xWbrmqi517gYM2cBDyZ13527bCeFTAVNOnS
> 9uE60cWJfpCrejLrGj7AtZgLPBuyWFnAfPHEDWbZCrq+Di1fjddYK5JBQRTrUE5E
> W1rtx43b3KrO33MgQ33TAdmFkMKXulK4BBUT44DyB2OD2DBqsCi/xgFXRBtu7hii
> RVGYBCw6YxXXW8y86eF10nsURSwl3IZImtaA/z/me9wEPZEG+Mdjmf5zc85kZVtj
> BS8CoOJq1dbNMmPBWptG5tdITWlrRZLEHc2RgjiiVsoSlIPH+X+mg9bvwNkayDzQ
> 2UhSFqxP1FFeC/HoWekCA7ZScQhQ1qLdOzUfKTMMAYb06kD7A3ZrQPF3r10UHSLh
> +hE09FF8UiTJo9WsOK7oeFnByWLtcvOs2lQ2AHWIHbsfPxNC9ckHz7AyLHkypPg0
> qPc+Ljw8LVvNnJSodFWszqRwi+1mAAfTqbvoXYh8EcGIMDiPDBJPX5AtMFjARQs1
> 8ikC5ABumFv/yvlVuksDl9HfPGqd6oBXG8ZyMoFKoyHHIDZprJ8Y0SxUMTy3DIaP
> t3ETs2fViyvuPN+S+itX
> =6Pqs
> -----END PGP SIGNATURE-----



-- 
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.