Date: Tue, 30 Oct 2012 21:22:57 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: David Jorm <djorm@...hat.com> Subject: Re: CVE request: XSS is Google Web Toolkit (GWT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/29/2012 07:26 PM, David Jorm wrote: > I note that with the release of google web toolkit (GWT) 2.5, a > security flaw has been resolved. The best details I can find are > at: > > https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_4_0 > (scroll to "Security vulnerability in GWT 2.4") > > The release notes state: > > "Recently, the GWT team discovered a cross-site scripting > vulnerability in the 2.4 Beta and Release Candidate releases (not > in v2.3 GA or v2.4 GA). This vulnerability was partially fixed in > the 2.4 GA release and completely fixed in the 2.5 GA release. If > you have an app that's been built with 2.4 then you'll need to get > the latest 2.5 release, recompile your app, and redeploy." > > I can't find any details on the flaw, a CVE ID, a public bug or a > commit. I have contacted security@...gle asking for these details, > but no response yet. Can we assign a CVE ID to this flaw in the > absence of these details? > > Thanks Ok no replies from Google security@ or anyone else at Google. Please use CVE-2012-4563 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQkJmRAAoJEBYNRVNeJnmT34sQAN1rirRTx9B9EhfXGZ0GiRlF 4XB4UNa6INoW+UREF13ju/QKvdm6oB6c4FtP4FhgoN37Zv11xZqARZlNxlIjgSXB JaJMLCpP6d4+AA1xnPqBN6aLYYlCyuQ0M9zoIuUJH8dVk51Y4XReJUbQh7Oq+63v X04dJN52jncMQmjlOkMl1RUErhXWyvz3gwS58TKFZvrUJVQPxnVqwUR3kpMowpZr NmtDGYu19LMnG6Bwm2pNn7NYy0zPPiG437C+R3QKajAKv2gQoZ7QP/dynlEdVUvb ne2YR/Ts5Dsh+3WEzhDUB2mmcrTyxGvUgDLVgvVfpWhGW9dTmbAf9Ym7bs2+J6ob /30uff5NsITdyzHfneuahB5K69I94Ez4LboCdYpyHokkBouR7lMQODsykOIC7V92 rIAK5bs1GB8NI0Km4g4UasZiVb43nIBfmQiRoJ6gQ8VL/PCRFzkUovaldcxX0PYM cWfcTSKJP9yxOiu16NLzbtzUJpJMaQ7rqj4GEqGoTJVnwEhVI/rZwcCodWrBnWkd PAEQ/VOs6QUH3um6nFQQ/adOlkHw3LfVDZd1oeSe92oP71nSuu/egVz69ALTsK+L pMi3C489b8M7L6x+7e14TjajBopi8FuMvglZyrW70W6Try5h4r7iKH2VYESd/7gM NfzX4to45zP1Wi1axTLi =2YY8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ