Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jan 2014 13:02:43 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Reed Loden <reed@...dloden.com>, Kurt Seifried <kseifrie@...hat.com>
Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input
 before adding it to the page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/19/2014 04:31 PM, Murray McAllister wrote:
> On 01/17/2014 05:39 PM, Reed Loden wrote:
>> On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister
>> <mmcallis@...hat.com> wrote:
>> 
>>> We recently received a report from Teguh P. Alko about an
>>> issue affecting Jenkins. Input was not sanitized before adding
>>> it to the page. The fix is public here since the start of
>>> 2013:
>>> 
>>> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e
>>>
>>
>>
>>> 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
>> 
>> is the security advisory that includes the above fix.
>> 
>>> This could be used for copy and paste attacks, with the end
>>> result being similar to that of cross-site scripting attacks.
>>> It has been assigned CVE-2013-6488.
>> 
>> Fairly sure that's just a dupe of CVE-2013-0328. See 
>> http://seclists.org/oss-sec/2013/q1/368.
> 
> It is a dupe :( Thanks for pointing this out.
> 
> -- Murray McAllister / Red Hat Security Response Team

Sorry, I should have been more be explicit: please REJECT
CVE-2013-6488 as it is a duplicate of CVE-2013-6488

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS3YDjAAoJEBYNRVNeJnmTayYQAJsCcIuDeiGmn+0lLSHAfokN
cnz15OjOMRXUNdGk7qAzUcsBAGArN8iUyA/dGay5bv6/SmWRG8gWXgUsx3uCzDoL
s2ZiMAXNi8qawKKuTQf3wM8YK/Q9jVI88vWDBE1ubbF9hJR+BmMVPHXTvyuoqURx
tnwSwBf0H1Fcom0WSghMJfHZDBsMCYw9V/zWJ6X9CB/5CwPF6sBgECiS2x/cwAQh
fV4xzybedIe62opUVblCbnw2YCu+NCCKpbRluM6NVcFL+Z4U73UPDEWzfpUtllIi
JSas0FBsvjuh9F8svcfDn5h10mH0YtNkkCawKJlXjLjgLYXw35vVXZ+jkAYYzzDA
4eAnJcKSRDTeATLVdYEpqgbUciq91HpH3l6ZVjbeRM8VyzhWhVAMOWHplCKTkCcC
nTh9VQ7J1EemWCa9fH+vWqsxDLJ1quOyBiP/NC2lJxTkytAX9igZ6BdQgQQz2UhR
ZPlil7RwdujZopU5py9TleY2n/fqZSvStLm/CwdIVM4JA/LgcksPLjuol1IiK8ee
oc7UtHcAG0aNsulBk16xJk3LRZLRdOgm0ZqDdjDLSsTeeHm7BLnQIO07gJKqD6+l
pVjx5jITgBJdnyWIMIZMUMs4ps0l+odVlHnOoJzvYVl7YH71VLD/CJpRET33nnQD
3aCCYkM7RS2fsgL4EbVz
=lWID
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ