Date: Mon, 12 Oct 2015 12:16:12 -0400 (EDT) From: cve-assign@...re.org To: nathan.van.gheem@...ne.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Plone CSRF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Can a CVE be assigned to this issue, please? > > https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope > https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf > > Plone is built on the Zope2 application framework. In the Zope2 application > framework, there are multiple CSRF vulnerabilities. The latest version of > Plone has automatic CSRF protection integrated at the database layer. This > patch basically backports the latest automatically CSRF infrastructure to > Plone 4.x. The vulnerability information can be covered in CVE; however, we do not really understand why it is being presented in this way. https://github.com/plone/plone4.csrffixes says "there are a lot of CSRF problem with the ZMI that Zope2 will never be able to fix." It seems that, normally, if one or more persons had discovered CSRF problems in Zope2, then they could have CVE IDs for their discoveries. Why is this a "never be able to fix" situation? Is there, more or less, a requirement that Zope2 allow arbitrary requests from clients that have never previously read the content of any web page, because of the variety of ways that Zope2 is used? In that situation, the request behavior of Zope2 would not necessarily be considered a Zope2 vulnerability. Also, a separate issue is that the CVE request is specifically about backporting. It seems that, at some time in the past, the possibility of CSRF attacks against default Plone sites was identified and this motivated the development of auto CSRF protection in Plone 5. Normally, an assignment of a CVE ID or IDs would be associated with the original discovery, not a later backporting of fixes. Are these equivalent in this case: for example, were all of the CSRF attack possibilities against default Plone sites discovered by Plone Foundation contributors, and security-vulnerability-20151006-csrf is the first general public announcement that these CSRF issues existed at all? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWG9wmAAoJEL54rhJi8gl5n6oQAKXuzwqb4bmBs4K5NhpJ4NtI d37u737MsJSGLLtXGlrupC2XDwq/LuSN80SmOQVYnPn4EU4SU+17bvwjOP30LECD DJMt7m10LuGjamyrbFGfALzXh0iPkZHoUN289c+oQZN9P8pdVlVfZlVrgZP2KPQk 3MbELeGrh0NogA2+yRFAdufKQovo4cnyQuHsxqpV/7Mv+YJwlFInhJVcrI35F5TF R3sDKoIkjMXicPRA9+9dZYnTeNmypGVhuBUhG6UwW+Ob4dlR6fAyMH6NV+977r+5 9DnDsyHQ+6axYqNT/+4kY1tXHi9dXvhSoV71OGtcMODknD7RyiVdF1DpuJl7PP7Y u+TaqrN7A7x5kalSCspLYsYlvciyIXURJv32ZANVeT/67mEqnWky7ZnoUrssPqzf FIgqAM1MUPD9KT+P9zDoiG0oFfVKpu9EqLlo372pyw+nVn/2U0fPdGzKro+kOZGQ CU+wxdFX2xwZTAsP1JXzHBoHEY0Q/i+GSAlqHvNuILlLgdypPS9YxiCNc0pVmsBE 2HRxNoZAWBhiAD/B/nEFjNyvi6yGzz35QNhaYGeMQpVrlDh65BNt3wT+pkCxB/tr W7ZbRsu4DBxt/yyVy9FqOdw0eIqo2beplKxVWHjbAIKapQjCyJ0VXD887CBw7AlC uVpQbre4M9bmYXVg95Bz =tvlJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ