Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 13 Sep 2012 14:39:05 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Yves-Alexis Perez <corsac@...ian.org>, security@...dpress.org
Subject: Re: CVEs for wordpress 3.4.2 release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 02:29 PM, Yves-Alexis Perez wrote:
> On mer., 2012-09-12 at 13:38 +0300, Hanno Boeck wrote:
>> I can't find CVEs assigend for the issues fixed in wordpress
>> 3.4.2.
>> 
>> http://wordpress.org/news/2012/09/wordpress-3-4-2/
>> 
>> 
>> Sadly, the information is quite limited: "Version 3.4.2 also
>> fixes a few security issues and contains some security hardening.
>> The vulnerabilities included potential privilege escalation and a
>> bug that affects multisite installs with untrusted users. These
>> issues were discovered and fixed by the WordPress security 
>> team."
>> 
>> I suggest assigning two: 1. potential privilege escalation 2.
>> problem with untrusted users on multisite installations unless
>> someone has more information.
> 
> It's alway pretty annoying to try to fix CVEs in wordpress
> releases, since they are usually allocated just on some release
> announcement, and thus identifying specific commits is pretty hard.
> It'd be nice if Wordpress security team could be in the loop since
> the beginning, it might help a bit later (so adding them to CC:
> now)
> 
> Regards,

They are of course welcome to ask for CVE's on distros@, just be aware
of the two week limitation (so ask as you get closer to a release).

http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

How to make a semi-private request:

If you have a semi-private issue (you want to notify vendors, but not
the entire world, giving time for it to be fixed) the easiest way to
do this is to email the distros@...openwall.org list
(http://oss-security.openwall.org/wiki/mailing-lists/distros).

Please note that one of the list requirements is that issues be
embargoed (kept private) for 2 weeks at most (e.g. 14 to 16 days
depending on when during the week the email was sent). DO NOT SEND A
REQUEST TO THIS LIST IF YOU NEED MORE THAN 2 WEEKS TO ADDRESS AND
RELEASE THE ISSUE. The distros@ list is a private list consisting of
security teams for Linux and BSD distributions. No archives of this
list exist publicly at this time, although a time delayed archive may
be created at some point (delayed at least 14-16 days so embargoed
issues don't appear in the archives). The advantage of this list is it
allows you to easily co-ordinate a public release with the projects
most likely to ship your software (e.g. Linux and BSD vendors).

Time line: I generally respond to these within one business day, this
means you'll either get a CVE or a request for more information if the
request is not properly formatted or is unclear/missing details/etc.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUkRpAAoJEBYNRVNeJnmTk4gP/i7WlNhTKrnWbtVvIvfkKDN4
C/dwq1HyZ6b97+tMqxiaRlVy8r9vIy806Z9T4qL75stAFkN333aiLibP51iwJxo3
83LikqCFQ0yKlDHgzeP864JLUZYxwVWTIZTEsgiFOeoS5g28GV5XmT84Ub5eeCOU
T8Y11PPw3y8qY7ZZs7UKSXhIgRvAQYhzsxiJnjN4gT7FBsHtpHhmnueLM076O/4g
bQSGjQrcc4lSjGeMrsDkyCT1/ZoReg/ksLYg4g92zexhKM/RK1fVqtG3RO2sYsY5
QlFa28MsiSFtRpjJM0C6FBlEm6IIhpvzpMg0AvxNbKjZthNXSju6DPQRuk+otRLS
M7auI+v6H+oX3LhV3QN+uPzZmS/wtaCGvTZ6HQxQdM6Ak0Tel53lhNOZakT05dJJ
7WzilbF4niR7DZoxl4llXp4YTr+iHNyvII1G+3KEB4Fp2AVjcRHICZ2ylBPM2Vsl
DQ3j7A3z0tA3RBu4z1Nwv3NMgH1vRns2IpMlTKPTzSZvZLtt6XBHpvGYotqltgDA
byNjTjtiv7yftZcoABysuzxiK4jHowFlIM9gjkbPutQ2/dsrySSl+rQPO4N0PNGz
XsvdUnzERCwXmtnhWQ2hIsoc5Ak5cMrzMCrO0cP3G8SGVlNcMdRD6r3/VEGq3UNR
al+A64Gk9hYZtq9uQK3M
=DOt0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.