Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jan 2014 23:41:31 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: mmcallis@...hat.com, Kohsuke Kawaguchi <kk@...suke.org>
Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input
 before adding it to the page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/16/2014 11:39 PM, Reed Loden wrote:
> On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister
> <mmcallis@...hat.com> wrote:
> 
>> We recently received a report from Teguh P. Alko about an issue 
>> affecting Jenkins. Input was not sanitized before adding it to
>> the page. The fix is public here since the start of 2013:
>> 
>> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e
>
>> 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
>
> 
is the security advisory that includes the above fix.
> 
>> This could be used for copy and paste attacks, with the end
>> result being similar to that of cross-site scripting attacks. It
>> has been assigned CVE-2013-6488.
> 
> Fairly sure that's just a dupe of CVE-2013-0328. See 
> http://seclists.org/oss-sec/2013/q1/368.
> 
>> Please credit at least "Teguh P. Alko" in any advisories.
> 
> Why? He/she's not the original reporter.
> 
>> I am Cc'ing Reed to see if he knows who the other independent
>> reporter is (from that Jira "SECURITY-46" bug in the above
>> commit; as I understand it those bugs are not made public but I
>> could be wrong).
> 
> Jenkins's SECURITY-46 maps to 
> https://bugzilla.mozilla.org/show_bug.cgi?id=819251, which I just 
> opened up. The reporter is "Atulkumar Hariba Shedage".
> 
> Hope that helps.
> 
> ~reed

The problem is we can't easily map things against a security advisory
such as

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16

because there is minimal details. There is no mention of which issue
if which and so on. If you can include the ISSUE-NN number in
advisories in future that will prevent such problems, thanks!

If this is indeed a duplicate than yes we need to REJECT CVE-2013-6488

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS2iIbAAoJEBYNRVNeJnmTCPkP/jowT8Y+V2yCHoi3gtUq2miF
RbZiXL9xussZEs2e3B6F1jGua7lDa7sYC5vi4hDgRZU38+GMhQSj3pAEVykddnL5
5s9X8AFtpwOfs7N556BYGloDeIRpQ3GpgyIOzh8l7rV5r5C39sQsGcIqJr3DuiOf
EODHTayODOW2kULvhJyqvWtHywjAWYHxL4AVVnQ6vio+j8pDk7mX2/MDRLNn4cI4
fG0YIZWAVycBvxRbOsSj+ocim3YiDGUXo7kdagDXyHxFBZJMJUh2NJ4TnbOAefKG
hS9QsdI2fey+8XLisT3bA6fJH3gtGT3qjctdSz9pOTklwNGzTss3rTMs7UeDo97i
5AfyznIZDbl2/GoXtV3nJvoX3QuK1RgnvA70C28bNMfx+qh6rPYvAD5/ziDOnlEn
EepXuGVgW+KLgv81EdC/4h1RPJceRrjuCpV1baRUBOfLsAid8udSwccMf6+z1PQp
DQ/srBSXWYOx7Erp58jFLfjnTJiBa2syhlFoOJ6asenik+spNWehmXzURTdujtHW
PJQSXj7DYv8J2GeLOG8CoUnpaHXhV8tp2g/d23i0ygHeIDWISCo19o/eNWLdfydk
D9AX47dy4dB20s7eVIcx3O17++t0W83mczj/8nXUZGViYHdfVc0Jal5dnatvIjIn
uSNKaaP57hIXeHGdaDKC
=vb1o
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ