Date: Thu, 16 Jan 2014 22:39:51 -0800 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com Cc: mmcallis@...hat.com Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister <mmcallis@...hat.com> wrote: > We recently received a report from Teguh P. Alko about an issue > affecting Jenkins. Input was not sanitized before adding it to the page. > The fix is public here since the start of 2013: > > https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 is the security advisory that includes the above fix. > This could be used for copy and paste attacks, with the end result being > similar to that of cross-site scripting attacks. It has been assigned > CVE-2013-6488. Fairly sure that's just a dupe of CVE-2013-0328. See http://seclists.org/oss-sec/2013/q1/368. > Please credit at least "Teguh P. Alko" in any advisories. Why? He/she's not the original reporter. > I am Cc'ing Reed to see if he knows who the other independent reporter > is (from that Jira "SECURITY-46" bug in the above commit; as I > understand it those bugs are not made public but I could be wrong). Jenkins's SECURITY-46 maps to https://bugzilla.mozilla.org/show_bug.cgi?id=819251, which I just opened up. The reporter is "Atulkumar Hariba Shedage". Hope that helps. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ