Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Sep 2012 20:52:34 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request Smarty / php-Smarty: XSS in Smarty
 exception messages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 11:43 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a cross-site scripting (XSS) flaw was found in the way Smarty 
> sanitized exception messages: [1]
> http://secunia.com/advisories/50589/ [2]
> http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt
>
>  Upstream patch: [3]
> http://code.google.com/p/smarty-php/source/detail?r=4658
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> P.S.: Going through the OSS archive from 2012-09 it doesn't seem 
> this has got a CVE identifier yet (but didn't look to posts from
> previous months).

I checked all CVE's for 2012/2011, this is new.

Please use CVE-2012-4437 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQWoTyAAoJEBYNRVNeJnmTfMwP/jB4EoJKog4+DFg1Hn0RgEBE
O1AxVy0T3ARaNMB3r1Nyc2bQv+G04x+uqJtGVc+OiEwTiDhDHkuHLakMHZ9NwpvH
eHV8SyuIgasIJauLHf1aNp5iKsEmrc1302tBJX96DQF397r6aR33NwkDGvC0n1RO
Fwdx/++IKjeKjih5gZPngEm42qes9XXECjQ8/Z6xGoYcm7UAJxdXAeYf427Kb2FK
pZHFWPDFNb/uzwAF1hlmVhSzud87n9PyqRATtVn0EwpNhAyRoAQQ0ES9b+7wdg7P
qN++F3lpf1ei0fQ/TewIOeuVhX56dHTkALFDaHx7QAo9X7WGNyW6505wJmIm/2cV
OG4Z9uzQJV9q3DkuAzNl6olGi6d1E4IDdZoM+jV3A4p3OI3VG4vCGD2okVEeMnlQ
LNgaOLOgn963P0YInNQOd2FfpvI41WuzMm0nm4s/9crS72tWsAXYhdujrv7k3R4g
RMyRv8ljKZ3OvXHeYieSI3/cdm++Fa3gSLApIQH6BLFC6ParFubk/nHE5XtzURZl
J5E60R3EgrwXDSO0foV4MgyBxd5RwkpUzlwQLm+mDLOe7ZQonqZEQToddMH3Ohai
jSd8D1GEUUM1W/z+qkOmIK7+GTVluPpYiZNWpgfZPvVBmzlfk4zwa7aZPkZqtSAW
H+CjF6SZlZMtGqwiT4F3
=I8Kn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ