Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 17 Jan 2013 10:50:49 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Forest Monsen <forest.monsen@...il.com>,
        Drupal Security Team <security@...pal.org>,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two
 Drupal modules issues)

Hello Kurt, Steve, Forest, Drupal Security Team, vendors,

  @Forest: Apologize for requesting CVE ids instead of you,
but I will explain the reasons below shortly.

  Drupal upstream has released Drupal 6.28 and Drupal 7.19 versions,
correcting multiple security flaws:
[A] http://drupal.org/SA-CORE-2013-001
* Issue #1 - Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)
* Issue #2 - Access bypass (Book module printer friendly version - Drupal 6 and 7)
* Issue #3 - Access bypass (Image module - Drupal 7)

While the issue #1 affects also version of jquery.js JQuery JavaScript library,
as shipped within Drupal, the original XSS JQuery upstream report is here:
[B] http://bugs.jquery.com/ticket/9521

with mention about the fix in JQuery 1.6.3 version here:
[C] http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/

After further look the same issue needs to be fixed also in drupal7-jquery_update:
[D] https://bugzilla.redhat.com/show_bug.cgi?id=896467
[E] http://drupal.org/project/jquery_update

and python-tw-jquery packages: 
[F] http://toscawidgets.org

Also python-tw2-jquery package:
[G] http://toscawidgets.org

seems to ship various embedded versions of the jquery.js library implementation.
Since there might be more of the components / packages, shipping the vulnerable
JQuery version the first CVE identifier should be allocated to the original
JQuery issue.

@Drupal security team - could you clarify if to fix the first issue,
there was yet some other Drupal specific patch / change (besides the
JQuery library update), which would require yet another (fourth) CVE
id to be allocated?

@Mitre CVE assign department team, could you clarify, if you have already
assigned CVE identifiers for these issue and if so, for which source code
base it was?

If Drupal upstream just updated JQuery version to not-vulnerable 1.6.3 [B], [C]
within Drupal core, then three ids are sufficient (one for JQuery, one for
Drupal Book module issue, one for Drupal Image module issue).

On the other hand, if there was yet some Drupal specific patch (besides JQuery
update) needed to fix #1 issue - four CVE identifiers should be allocated
(after my understanding).

Could you allocate them / if allocated already, let us know the particular
ids and which source code they were allocated for?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.