Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Jan 2013 16:02:51 -0700
From: Greg Knaddison <greg.knaddison@...il.com>
To: security@...pal.org, Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com, 
	Mitre CVE assign department <cve-assign@...re.org>, "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63
 issue and two Drupal modules issues)

Response below.

On Thu, Jan 17, 2013 at 8:50 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote:
> @Drupal security team - could you clarify if to fix the first issue,
> there was yet some other Drupal specific patch / change (besides the
> JQuery library update), which would require yet another (fourth) CVE
> id to be allocated?

The fix we added to Drupal does not require (or implement) an update
to the jQuery library at all; rather it works around the issue
entirely within Drupal's code.  I think that means it should get its
own CVE ID.

We did it this way because it means that any other Drupal packages,
such as drupal7-jquery_update, would not be expected to have a
vulnerability as long as the core update is applied.

I believe this means that yes, we will need a fourth CVE id to be allocated.

Thanks,
Greg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ