Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Jan 2013 16:02:51 -0700
From: Greg Knaddison <greg.knaddison@...il.com>
To: security@...pal.org, Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com, 
	Mitre CVE assign department <cve-assign@...re.org>, "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63
 issue and two Drupal modules issues)

Response below.

On Thu, Jan 17, 2013 at 8:50 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote:
> @Drupal security team - could you clarify if to fix the first issue,
> there was yet some other Drupal specific patch / change (besides the
> JQuery library update), which would require yet another (fourth) CVE
> id to be allocated?

The fix we added to Drupal does not require (or implement) an update
to the jQuery library at all; rather it works around the issue
entirely within Drupal's code.  I think that means it should get its
own CVE ID.

We did it this way because it means that any other Drupal packages,
such as drupal7-jquery_update, would not be expected to have a
vulnerability as long as the core update is applied.

I believe this means that yes, we will need a fourth CVE id to be allocated.

Thanks,
Greg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.