Date: Fri, 18 Jan 2013 16:02:51 -0700 From: Greg Knaddison <greg.knaddison@...il.com> To: security@...pal.org, Jan Lieskovsky <jlieskov@...hat.com> Cc: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Response below. On Thu, Jan 17, 2013 at 8:50 AM, Jan Lieskovsky <jlieskov@...hat.com> wrote: > @Drupal security team - could you clarify if to fix the first issue, > there was yet some other Drupal specific patch / change (besides the > JQuery library update), which would require yet another (fourth) CVE > id to be allocated? The fix we added to Drupal does not require (or implement) an update to the jQuery library at all; rather it works around the issue entirely within Drupal's code. I think that means it should get its own CVE ID. We did it this way because it means that any other Drupal packages, such as drupal7-jquery_update, would not be expected to have a vulnerability as long as the core update is applied. I believe this means that yes, we will need a fourth CVE id to be allocated. Thanks, Greg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ