Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Mar 2013 06:02:21 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: kseifried@...hat.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Drupal Security Team <security@...pal.org>,
        oss-security@...ts.openwall.com,
        Forest Monsen <forest.monsen@...il.com>
Subject: Re: CVE Request -- drupal7-views :
 SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)

Hi Kurt,

  thanks for assigning the CVE id. To follow-up
on the doubt below yet.

----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/22/2013 07:23 AM, Jan Lieskovsky wrote:
>> Hello Kurt, Steve, Drupal Security Team, vendors,
>> 
>> Drupal upstream has released: [1] http://drupal.org/node/1948358
>
> CVE-2013-1887
>
>> and updated version of the Views module (Views 7.x-3.6): [2]
>> http://drupal.org/node/1948354
>> 
>> correcting one cross-site scripting (XSS) flaw.
>
> The security issue in views is caused by various places in the views
> UI where a string is not sanitized,
> because it has been assumed to be static and by commiters, though you
> can change some of these strings using other administrative
> permissions. SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
> 
> I'm a bit confused, is this via SA-CONTRIB-2013-035 or a separate
> issue as well?

Those are the same issues (it's possible to get from SA-CONTRIB-2013-035
link to the http://drupal.org/node/1948354 link [just click in at
Views 7.x-3.6 in SA-CONTRIB-2013-035]).

In yet other words, looks like CVE-2013-1887 (previously) occurred at
various places. Relevant upstream patch seems to be this one:
  http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>> AFAICT from [1], there doesn't seem to be a CVE identifier for this
>> issue yet.
>> 
>> Could you allocate one?

> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJRTMJrAAoJEBYNRVNeJnmTjIUP/0rn+yNqLpAPVoZJOKKjzC/O
> AComiUFEBzLPxWbJGPS8aEY738ABh3G557U3QH0xab0WKHsq4y7pOb8i2iGmUTOM
> 9t62qmZssTf80omcPZ0rKMo+dZXIXrwNsQbqB/yApuVixfbbUPKf4vF8PQVraijm
> NaBt/Gjl7G7bpHW5ZqellBNO7eHEUqAt2FQZp+UcWfR7NFASef+8BR6plrco/Sjn
> c75GySKWia99lm7qt65Q8ddT2P9ECQIoDileWzWyrWhqHpsTilWGTe+xyF5fzob4
> Zz6Z/EE0VP/ZIbfLaNip2+8Oa665T1B2tgLuUDV3jrRu11lnB3vcNfAErWdwSULM
> sy98z8NujPPmPhXa2F1jIqZN9adPHjYuvOOEYOdZL+yiA698XxRQKmHkHom4cB4Y
> FpXk/F+YrTE+Qn0XayJZriEUIzVe8z1LWC8lQDA8xWmCEptu81fIVd97A6Tk2MrV
> 4Z2pNuJ1Z3EGkZBuFNbf1FZ6M8KTbwE8qz0gEia0GpmNDegecUWewxtlxqRM4xLD
> CVfpYWN3EsS2u2M7Maw2kdHWuWjxaS69xLncVKaDB5oEFrpU61PIhLoglneDdZxH
> BgANfSjucbxvfeOWapjk0GPd9cNKQ5jtKMRZb/x6JtkLBjX+GZTMlDvI82A0BN76
> JOYCC9mTQ1uRfCHsITzV
> =gTiE
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ