Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 03 Oct 2012 23:39:40 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Joshua Brauer <joshua@...uerranch.com>
Subject: Re: CVE Request for Drupal Contributed Modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2012 10:23 PM, Joshua Brauer wrote:
> Thanks these have been posted and I'll have more catching up
> tomorrow.
> 
> Just to verify the process CVE-2012-4472 SA-CONTRIB-2012-108 is for
> multiple vulnerabilities which Drupal issued one advisory about. In
> the past I think these got separate CVE's and we have in our
> process to report it once for each vulnerability. Which leads to
> the questions: 1) Should it have multiple CVE's? 2) Should we be
> reporting these separately or all on one?

Sorry I was reading the titles of the advisories, usually they say
"multiple issues" when there are multiple issues, "SA-CONTRIB-2012-108
- - Drag & Drop Gallery - Arbitrary PHP code execution". Oops.

> Thanks, Josh

>>>> Thanks, Josh - on behalf of the Drupal security team.
> 
> Perfect, this is easy =).
> 
> Please use the following CVEs:
> 
> CVE-2012-4468 SA-CONTRIB-2012-104 CVE-2012-4469
> SA-CONTRIB-2012-105 CVE-2012-4470 SA-CONTRIB-2012-106 CVE-2012-4471
> SA-CONTRIB-2012-107 CVE-2012-4472 SA-CONTRIB-2012-108 CVE-2012-4473
> SA-CONTRIB-2012-109 CVE-2012-4474 SA-CONTRIB-2012-110 CVE-2012-4475
> SA-CONTRIB-2012-111


Ok so a clarification on  CVE-2012-4472 SA-CONTRIB-2012-108 and some
additional CVEs:

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Scripting
Please use CVE-2012-4476 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Access bypass
Please use CVE-2012-4477 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Request Forgery
Please use CVE-2012-4478 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - SQL Injection
Please use CVE-2012-4479 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution
Please continue to use CVE-2012-4472 (it's the most serious one and
listed in the title of the web page currently).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQbSEcAAoJEBYNRVNeJnmTzGEP/RsG5IUUr9moP/p7qC3NJmw1
0p1khI8zXxmlZtUNU6suh4LRBPSOYcA2SGMC7xsTuDGV1tbJkN7Rr5t+SYeJ6qQP
KNrf6XYPP3HZsQJvkE8Hg/X7W62W9Vjc+4OOny2LYIMIM+i8GqS2W56YGodvbQQv
wOtIcLdq0jwG8yOmKDhtNxJeyY1v89Ln5cjoqB6oPgb/EOq5EnAvHyLGiXppZ45H
PV3xWiMvondje/zo1VP9ARmS/fPdXM66hRxlkgbaWhgIGKgEvUUFSQfiTxjfxbBv
SQc45bFx9AU08thaVEWKSqLgBKnLAa5yBVADaP4CwMf+X8Yrw8v62ZuzKS3Bro/N
phDZW9eGyLF+hHhlS1vor8cqBS+EF3VOYpMRx5Zf3bV0QycKhKYuvijN8B5sSX2z
zRwm8Z0k1Rc3Mya2nlaO4Rrt1wIvAEEBjUOj04UdG8eiwmEuUi2jWKoGaaIGYGSp
QFUqUzTPM4pf/PYf8QGYev7KBJDZt66LkRe/1B+l5qYo8qtXaEWS/oyf3zCQKS9t
39xkP3sNbO0QVCajnKgwZSOuE2v4hmoKnaxevdsMhozsFCllfIy3bt5pcXwHXPzY
0jX7441KtJ3FjSRmrjSoXljBvsv+bn6b6V9pLTi4AjZe0gpf0DR71IJw7WTOcWc8
Un86Mt7mCTh2VPCziQm5
=avGB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.