Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 04 Aug 2013 23:47:16 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: XSS in Google Web Toolkit (GWT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/04/2013 10:56 PM, David Jorm wrote:
> I note that with the release of Google Web Toolkit (GWT) 2.5.1, a
> security flaw has been resolved:
> 
> http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1
> ("Security Fixes")
> 
> The release notes state: Fixed an XSS vulnerability in html files
> used by GWTTestCase (patch). These files will only be included in a
> GWT app if it depends on the JUnit module. Despite the fix, this is
> not recommended.
> 
> The patch is here: 
> https://code.google.com/p/google-web-toolkit/source/detail?r=11385
> 
> I have reproduced this flaw and can confirm it is reflected XSS. I
> have previously contacted security@...gle asking for CVE IDs for
> GWT flaws, but never received a response. Please assign a CVE ID to
> this flaw.
> 
> Thanks

So according to
http://cve.mitre.org/cve/cna.html
Google is a CVE Numbering Authority but I can't find a CVE in google
(irony?) for this so I guess they missed it. Please use CVE-2013-4204
for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR/zxhAAoJEBYNRVNeJnmTgtEQAJ2gmoFcYw9EXIWtQBLkykBq
7GShyEcaxY43Ecm38TEIMElHxXsiX6QoI16O0AzkMi2N0TsKjxp0Lvf7zfU3fhqI
+juPu2bqKP+yGRJKcb5RoEUr1QGkvS8e4BBTK/572shziiC7j+hvdYYOR3sFvmQw
q8HiLIx/in+MUgB+V9XIOyKk5C8v60C8CQ8EH4oqD8q8YScq/HioaKgrs4GJqCUA
tbnHPuah9WBOyS0RstyDPAsDRXVGl081mPlq0fllHq28sArbZo+gB1ZgDMhvVhbv
AghVzKYt8px3FLi+MVlSTOGeIrTXtpsTWQ66DKxfYfsj1iNh+T3B/fD4H08c4hqX
46rEUBwGKvdNIcg6+DsHvni/6zXBry8qA9x3xwnfUK0xDhZZ8qXN5uXhPqLCM64N
TADtIVy5R0f1pv9SNRUMuKBPs+Pw5kimgnYaM45i1E8ilSxHVX6JKsTukx89DK+0
YK674UeTPVQIelFFG8EnasINjgua2kEEaFWsqMPcLbeFsHZA9AD7GpEC6vilTrQz
w8ApJ90Ti1oU0eZ1oMhpcjkgjQaS/ZIwYAkIZnLq9Xi5/jGu6aB0sum4fPd8Fytt
QDWdJwfTaWq8pNa4M/wwLJGP89EQFunXfGwLd4iloJEHeDSRbmj7H0lRax4DSxeJ
+07h7kydenYwxrVTBUL3
=roNw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.