Date: Mon, 20 Jan 2014 13:02:43 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Reed Loden <reed@...dloden.com>, Kurt Seifried <kseifrie@...hat.com> Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/19/2014 04:31 PM, Murray McAllister wrote: > On 01/17/2014 05:39 PM, Reed Loden wrote: >> On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister >> <mmcallis@...hat.com> wrote: >> >>> We recently received a report from Teguh P. Alko about an >>> issue affecting Jenkins. Input was not sanitized before adding >>> it to the page. The fix is public here since the start of >>> 2013: >>> >>> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e >>> >> >> >>> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 >> >> is the security advisory that includes the above fix. >> >>> This could be used for copy and paste attacks, with the end >>> result being similar to that of cross-site scripting attacks. >>> It has been assigned CVE-2013-6488. >> >> Fairly sure that's just a dupe of CVE-2013-0328. See >> http://seclists.org/oss-sec/2013/q1/368. > > It is a dupe :( Thanks for pointing this out. > > -- Murray McAllister / Red Hat Security Response Team Sorry, I should have been more be explicit: please REJECT CVE-2013-6488 as it is a duplicate of CVE-2013-6488 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJS3YDjAAoJEBYNRVNeJnmTayYQAJsCcIuDeiGmn+0lLSHAfokN cnz15OjOMRXUNdGk7qAzUcsBAGArN8iUyA/dGay5bv6/SmWRG8gWXgUsx3uCzDoL s2ZiMAXNi8qawKKuTQf3wM8YK/Q9jVI88vWDBE1ubbF9hJR+BmMVPHXTvyuoqURx tnwSwBf0H1Fcom0WSghMJfHZDBsMCYw9V/zWJ6X9CB/5CwPF6sBgECiS2x/cwAQh fV4xzybedIe62opUVblCbnw2YCu+NCCKpbRluM6NVcFL+Z4U73UPDEWzfpUtllIi JSas0FBsvjuh9F8svcfDn5h10mH0YtNkkCawKJlXjLjgLYXw35vVXZ+jkAYYzzDA 4eAnJcKSRDTeATLVdYEpqgbUciq91HpH3l6ZVjbeRM8VyzhWhVAMOWHplCKTkCcC nTh9VQ7J1EemWCa9fH+vWqsxDLJ1quOyBiP/NC2lJxTkytAX9igZ6BdQgQQz2UhR ZPlil7RwdujZopU5py9TleY2n/fqZSvStLm/CwdIVM4JA/LgcksPLjuol1IiK8ee oc7UtHcAG0aNsulBk16xJk3LRZLRdOgm0ZqDdjDLSsTeeHm7BLnQIO07gJKqD6+l pVjx5jITgBJdnyWIMIZMUMs4ps0l+odVlHnOoJzvYVl7YH71VLD/CJpRET33nnQD 3aCCYkM7RS2fsgL4EbVz =lWID -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ