Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Jan 2013 16:02:51 -0700
From: Greg Knaddison <>
To:, Jan Lieskovsky <>
	Mitre CVE assign department <>, "Steven M. Christey" <>
Subject: Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63
 issue and two Drupal modules issues)

Response below.

On Thu, Jan 17, 2013 at 8:50 AM, Jan Lieskovsky <> wrote:
> @Drupal security team - could you clarify if to fix the first issue,
> there was yet some other Drupal specific patch / change (besides the
> JQuery library update), which would require yet another (fourth) CVE
> id to be allocated?

The fix we added to Drupal does not require (or implement) an update
to the jQuery library at all; rather it works around the issue
entirely within Drupal's code.  I think that means it should get its
own CVE ID.

We did it this way because it means that any other Drupal packages,
such as drupal7-jquery_update, would not be expected to have a
vulnerability as long as the core update is applied.

I believe this means that yes, we will need a fourth CVE id to be allocated.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ