Date: Wed, 03 Oct 2012 23:39:40 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Joshua Brauer <joshua@...uerranch.com> Subject: Re: CVE Request for Drupal Contributed Modules -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/03/2012 10:23 PM, Joshua Brauer wrote: > Thanks these have been posted and I'll have more catching up > tomorrow. > > Just to verify the process CVE-2012-4472 SA-CONTRIB-2012-108 is for > multiple vulnerabilities which Drupal issued one advisory about. In > the past I think these got separate CVE's and we have in our > process to report it once for each vulnerability. Which leads to > the questions: 1) Should it have multiple CVE's? 2) Should we be > reporting these separately or all on one? Sorry I was reading the titles of the advisories, usually they say "multiple issues" when there are multiple issues, "SA-CONTRIB-2012-108 - - Drag & Drop Gallery - Arbitrary PHP code execution". Oops. > Thanks, Josh >>>> Thanks, Josh - on behalf of the Drupal security team. > > Perfect, this is easy =). > > Please use the following CVEs: > > CVE-2012-4468 SA-CONTRIB-2012-104 CVE-2012-4469 > SA-CONTRIB-2012-105 CVE-2012-4470 SA-CONTRIB-2012-106 CVE-2012-4471 > SA-CONTRIB-2012-107 CVE-2012-4472 SA-CONTRIB-2012-108 CVE-2012-4473 > SA-CONTRIB-2012-109 CVE-2012-4474 SA-CONTRIB-2012-110 CVE-2012-4475 > SA-CONTRIB-2012-111 Ok so a clarification on CVE-2012-4472 SA-CONTRIB-2012-108 and some additional CVEs: SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Scripting Please use CVE-2012-4476 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Access bypass Please use CVE-2012-4477 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Request Forgery Please use CVE-2012-4478 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - SQL Injection Please use CVE-2012-4479 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution Please continue to use CVE-2012-4472 (it's the most serious one and listed in the title of the web page currently). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQbSEcAAoJEBYNRVNeJnmTzGEP/RsG5IUUr9moP/p7qC3NJmw1 0p1khI8zXxmlZtUNU6suh4LRBPSOYcA2SGMC7xsTuDGV1tbJkN7Rr5t+SYeJ6qQP KNrf6XYPP3HZsQJvkE8Hg/X7W62W9Vjc+4OOny2LYIMIM+i8GqS2W56YGodvbQQv wOtIcLdq0jwG8yOmKDhtNxJeyY1v89Ln5cjoqB6oPgb/EOq5EnAvHyLGiXppZ45H PV3xWiMvondje/zo1VP9ARmS/fPdXM66hRxlkgbaWhgIGKgEvUUFSQfiTxjfxbBv SQc45bFx9AU08thaVEWKSqLgBKnLAa5yBVADaP4CwMf+X8Yrw8v62ZuzKS3Bro/N phDZW9eGyLF+hHhlS1vor8cqBS+EF3VOYpMRx5Zf3bV0QycKhKYuvijN8B5sSX2z zRwm8Z0k1Rc3Mya2nlaO4Rrt1wIvAEEBjUOj04UdG8eiwmEuUi2jWKoGaaIGYGSp QFUqUzTPM4pf/PYf8QGYev7KBJDZt66LkRe/1B+l5qYo8qtXaEWS/oyf3zCQKS9t 39xkP3sNbO0QVCajnKgwZSOuE2v4hmoKnaxevdsMhozsFCllfIy3bt5pcXwHXPzY 0jX7441KtJ3FjSRmrjSoXljBvsv+bn6b6V9pLTi4AjZe0gpf0DR71IJw7WTOcWc8 Un86Mt7mCTh2VPCziQm5 =avGB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ