Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 28 Jun 2015 12:20:52 +0100
From: Matthew Wilkes <matt@...thewwilkes.name>
To: cve-assign@...re.org, matthew@...thewwilkes.co.uk
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Django CMS

> Use CVE-2015-5081 for the CSRF issue.

Thank you!

> The cms.changelist.js and cms.toolbar.js changes include a comment
> "send post request to prevent xss attacks." The "xss" word choice
> might be a mistake. We are not currently assigning a CVE ID for a
> separate XSS issue.

I believe you are correct.

> CVE IDs were not assigned on a per-discoverer basis here because there
> was no available information suggesting that different persons
> independently discovered different CSRF problems.

I don't believe that they were different, having read the public 
information. I've asked for clarification from the vendor, though.

If anything, my logic for including the information about credit was to 
emphasise that it was one issue reported by two people and make us both 
searchable, in case there is confusion if one or both of us write up the 
issue in future.

Thanks,

Matt

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ