Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 04 Aug 2013 23:47:16 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: XSS in Google Web Toolkit (GWT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/04/2013 10:56 PM, David Jorm wrote:
> I note that with the release of Google Web Toolkit (GWT) 2.5.1, a
> security flaw has been resolved:
> 
> http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1
> ("Security Fixes")
> 
> The release notes state: Fixed an XSS vulnerability in html files
> used by GWTTestCase (patch). These files will only be included in a
> GWT app if it depends on the JUnit module. Despite the fix, this is
> not recommended.
> 
> The patch is here: 
> https://code.google.com/p/google-web-toolkit/source/detail?r=11385
> 
> I have reproduced this flaw and can confirm it is reflected XSS. I
> have previously contacted security@...gle asking for CVE IDs for
> GWT flaws, but never received a response. Please assign a CVE ID to
> this flaw.
> 
> Thanks

So according to
http://cve.mitre.org/cve/cna.html
Google is a CVE Numbering Authority but I can't find a CVE in google
(irony?) for this so I guess they missed it. Please use CVE-2013-4204
for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR/zxhAAoJEBYNRVNeJnmTgtEQAJ2gmoFcYw9EXIWtQBLkykBq
7GShyEcaxY43Ecm38TEIMElHxXsiX6QoI16O0AzkMi2N0TsKjxp0Lvf7zfU3fhqI
+juPu2bqKP+yGRJKcb5RoEUr1QGkvS8e4BBTK/572shziiC7j+hvdYYOR3sFvmQw
q8HiLIx/in+MUgB+V9XIOyKk5C8v60C8CQ8EH4oqD8q8YScq/HioaKgrs4GJqCUA
tbnHPuah9WBOyS0RstyDPAsDRXVGl081mPlq0fllHq28sArbZo+gB1ZgDMhvVhbv
AghVzKYt8px3FLi+MVlSTOGeIrTXtpsTWQ66DKxfYfsj1iNh+T3B/fD4H08c4hqX
46rEUBwGKvdNIcg6+DsHvni/6zXBry8qA9x3xwnfUK0xDhZZ8qXN5uXhPqLCM64N
TADtIVy5R0f1pv9SNRUMuKBPs+Pw5kimgnYaM45i1E8ilSxHVX6JKsTukx89DK+0
YK674UeTPVQIelFFG8EnasINjgua2kEEaFWsqMPcLbeFsHZA9AD7GpEC6vilTrQz
w8ApJ90Ti1oU0eZ1oMhpcjkgjQaS/ZIwYAkIZnLq9Xi5/jGu6aB0sum4fPd8Fytt
QDWdJwfTaWq8pNa4M/wwLJGP89EQFunXfGwLd4iloJEHeDSRbmj7H0lRax4DSxeJ
+07h7kydenYwxrVTBUL3
=roNw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ