Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Nov 2012 10:37:40 -0700
From: Vincent Danen <vdanen@...hat.com>
To: Ricardo Mones <ricardo@...es.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request -- vCalendar plugin for Claws Mail:
 credentials exposed on interface

* [2012-11-28 18:13:42 +0100] Ricardo Mones wrote:

>  Hi Vincent,
>
>On Wed, Nov 28, 2012 at 09:44:53AM -0700, Vincent Danen wrote:
>> * [2012-11-15 13:36:13 +0100] Ricardo Mones wrote:
>>
>> > This has been reported on our bugzilla:
>> > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
>> >
>> > There's still not fix available. Could a CVE id be allocated for this if
>> >appropriate?
>> >
>> > thanks in advance,
>> >
>> >P.S.: I'm not subscribed to the list.
>>
>> I don't know if this ever got a CVE or not; if it did I don't see a
>> reference.
>>
>> Also, according to this bug report it's fixed, but I can't find the
>> patch in your CVS tracker.  Can you provide a link to it?
>
>  Unfortunately tracker only tracks changes to core, not to plugins, but
>the patch it's commited also into the Debian packaging, so this link may
>serve:
>
>http://anonscm.debian.org/gitweb/?p=users/mones/claws-mail-extra-plugins.git;a=commitdiff;h=a3f91d21b32dd0b63b28ccb0c6f7a73939b14c9a
>
>> And, if a CVE hasn't been assigned, perhaps Kurt or someone could assign
>> one?
>
>  It't got one, but seems the list was not included in recipients:
>
>> Please use CVE-2012-5527 for this issue.

Fantastic, thank you for both of these.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.