Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 20 Jan 2014 22:42:29 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Reed Loden <reed@...dloden.com>, Kurt Seifried <kseifrie@...hat.com>
Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input
 before adding it to the page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2014 01:02 PM, Kurt Seifried wrote:
> On 01/19/2014 04:31 PM, Murray McAllister wrote:
>> On 01/17/2014 05:39 PM, Reed Loden wrote:
>>> On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister 
>>> <mmcallis@...hat.com> wrote:
>>> 
>>>> We recently received a report from Teguh P. Alko about an 
>>>> issue affecting Jenkins. Input was not sanitized before
>>>> adding it to the page. The fix is public here since the start
>>>> of 2013:
>>>> 
>>>> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e
>>>>
>>>
>>>
>>>>
>
>>>> 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
>>> 
>>> is the security advisory that includes the above fix.
>>> 
>>>> This could be used for copy and paste attacks, with the end 
>>>> result being similar to that of cross-site scripting
>>>> attacks. It has been assigned CVE-2013-6488.
>>> 
>>> Fairly sure that's just a dupe of CVE-2013-0328. See 
>>> http://seclists.org/oss-sec/2013/q1/368.
> 
>> It is a dupe :( Thanks for pointing this out.
> 
>> -- Murray McAllister / Red Hat Security Response Team
> 
> Sorry, I should have been more be explicit: please REJECT 
> CVE-2013-6488 as it is a duplicate of CVE-2013-6488

Gah I mean: please REJECT CVE-2013-6488 as it is a duplicate of
CVE-2013-0328


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS3gjFAAoJEBYNRVNeJnmTf/QQANyGhTXgl5kkbSk//E6qEDxo
UaDG2IhmiW3fOS9Ee4w0p82QboJeMcBRRqXfZTDvXUohTkCLvs8q+RVfDN5AHIis
nLXBNQGetjYkwehNU+Z9INwZXuBl/7xI1vWogOR+6nzoGUbURxTSceRhYPhQrPwK
rVaqU1BRbhHJGVHAHN0Y5qgMvDnfPYG6/H1zlwPI4tZW7qfzbAmphtUYu039640U
WJRD3xtrAdcwjwb9rld1ok0FxXcq6Jr0lcuZot0r2aUy78ymK92mdxQDM8G/Nccu
jXMqsETgoG2i3fX8P0vb9XBpdVDluvguO5SVd61SEpe2OUJvoMgK0Q905st1LLHr
IEvOKqIMnd2NNYMg2CkjiwnTMlPW8CemAjcHTdNom8TxPXtD1NfnPH8V+Ye8MiK6
4+ttEtEZHepATRif3x1NZBqN2+fonX1EY140CkkXqxQINO7a9lKJjEbrFAm5+BUo
Huz0IIdkJM99NPfX3iRhypRwZImP6OTHenbyiETsRtPbJ5OiZbv6tUMov7BIALfO
63ZvnnxJPF8z0Y1Ok9eUUdlvFDElKS/sjf2qkZRx4LjeCV5t5U2BCxTBO4l1r6CR
CnSLVSUgiHYz1RGowaj7iWr0UhMwdelky2Ne0k67/DvpB0I7GR5KExTyxZaKqdRV
6En8E9VoUGpk9pJh8O/D
=9XFg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ