Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 09 Nov 2012 22:47:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Matthew Wilkes <matthew.wilkes@...ne.org>,
        Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Jan Pokorny <jpokorny@...hat.com>,
        Plone Security Team <security@...ne.org>,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: Re: CVE Request - Zope / Plone: Multiple vectors
 corrected within 20121106 fix

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/09/2012 01:46 AM, Kurt Seifried wrote:
> On 11/07/2012 09:30 AM, Matthew Wilkes wrote:
>> Hi *,
> 
>> Jan has asked me for a breakdown of what patches in our bulk
>> hotfix relate to what issues, so here you go:
> 
> [snip]
> 
>>> =>  preliminary 24 CVE ids needed.
> 
>> Once we get twenty four assigned I'll match them against this list
>> in the same order.
> 
>> Matt
> 
> Some questions, I put the CWE's/credits in as well:
> 
> https://plone.org/products/plone/security/advisories/20121106/01 -
> registerConfiglet.py CWE-306

Please use CVE-2012-5485 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/02 -
> setHeader.py CWE-113

Please use CVE-2012-5486 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/03 -
> allowmodule.py CWE-749

Please use CVE-2012-5487 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/04 -
> python_scripts.py createObject CWE-95

Please use CVE-2012-5488 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/05 -
> get_request_var_or_attr.py CWE-306

Please use CVE-2012-5489 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/06 -
> kssdevel.py CWE-79 Richard Mitchell (Plone security team)

Please use CVE-2012-5490 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/07 -
> widget_traversal.py CWE-749 David Glick (Plone Security Team)

Please use CVE-2012-5491 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/08 -
> uid_catalog.py CWE-749, CWE-306 Richard Mitchell (Plone security Team)

Please use CVE-2012-5492 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/09 -
> gtbn.py CWE-20 Alan Hoey (Plone security team)

Please use CVE-2012-5493 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/10 -
> python_scripts.py {u,}translate CWE-79 John Carr (Isotoma)

Please use CVE-2012-5494 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/11 -
> python_scripts.py go_back CWE-95

Please use CVE-2012-5495 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/12 -
> kupu_spellcheck.py CWE-116, CWE-138 Richard Mitchell (Plone security team)

Please use CVE-2012-5496 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/13 -
> membership_tool.py CWE-749, CWE-359 Daniel Kraft (d9t.de)

Please use CVE-2012-5497 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/14 -
> queryCatalog.py CWE-749 Richard Mitchell (Plone security team)

Please use CVE-2012-5498 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/15 -
> python_scripts.py formatColumns CWE-749 Richard Mitchell (Plone
> security team)

Please use CVE-2012-5499 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/16 -
> renameObjectsByPaths.py CWE-749, CWE-359

Please use CVE-2012-5500 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/17 -
> at_download.py CWE-306 Alessandro SauZheR

Please use CVE-2012-5501 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/18 -
> safe_html.py CWE-79 Mauro Gentile

Please use CVE-2012-5502 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/19 -
> ftp.py CWE-306 mksht80

Please use CVE-2012-5503 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/20 -
> widget_traversal.py CWE-749, CWE-79 Alan Hoey (Plone security team)

Please use CVE-2012-5504 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/21 -
> atat.py CWE-749 Roel Bruggink (fourdigits)

Please use CVE-2012-5505 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/22 -
> python_scripts.py CWE-20 David Beitey (James Cook University)

Please use CVE-2012-5506 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/23 -
> django_crypto.py CWE-208 Bastian Blank

Please use CVE-2012-5507 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/24 -
> random_string CWE-330 Christian Heimes

Please use CVE-2012-5508 for this issue.

> It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and
> 5, can you confirm that these should not be merged?
> 
> http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html

As per Steve ignore the merge stuff.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQneqEAAoJEBYNRVNeJnmTmhwP/AqUx62/8yYq8raCGnT0KMtF
8bbFQ+mNIUtn4/ASs29ZhuHbFzukAqtqoNm+eCOk+AOgcwCKJmESaifAu1YllfWj
BvoEXD3pN6ZHDrRfbp+0zHQfW30brYCkE2SLP74Y0wJUIZtL4bW5oQdKK0WH8AZf
SbwGuKzsp1Fcmv2b1zYyX/egf4w2GSbEbP8pqiSX3AsqqhmqE9IcDYYx1pZyZ+Dq
elcpaU0+Xu4yScNKnyZkbJf9DM1FjgiBngRAV02pqEUUXXxdiPzjq1eWfWC7hEHJ
LQXkpl4txw4Fueq9nUZ+bE/vi+jB21cqDorjRFIZssJ0fBRG7rsgBP2IY3gJ4yMs
WJT3qoTCyjqLJydG0E/2zvrKVNTcgMlvtBO4cN8HOL6ZwPteerKtdt5xNhGVSv5c
l7P/8nbBubqxmsMQZvxeZsk958MpzzOxM3OoAXOB13T6dWMnCXsBWwfPjhYY/D3M
/t+WuGChMlrTtIe1pYQnsi5aXTYFztImGTjMN911cwCb+81wf6w9XkR3cAXfTALb
dQQDBBJCpOFG7MdX0rQhaSlNHNBlLwm/WxpUB47usxbR3pJr4RrfIQDR9gml3pvZ
h5d7BLcCd0sVRANPBK+uymHqNt1+h4JsPvVcW4JFbhoLqt5hLxv5EUjNYs6z/jdp
vSMTqypB5+jjhkeaA/u3
=yIva
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ