Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 22:40:15 -0400 (EDT)
From: cve-assign@...re.org
To: jens.erat@...-konstanz.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: several SOGo issues (DOS, XSS, information leakage)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

We have a few questions about this. First, several of the
https://sogo.nu/bugs URLs provide an "Access Denied" response and we
were wondering whether that was intentional. MITRE has no role in
determining the list charter, but
http://oss-security.openwall.org/wiki/mailing-lists/oss-security says
"List Content Guidelines ... Any security issues that you post to
oss-security should be either already public or to be made public by
your posting."

When required, CVE IDs can be assigned based on commits in conjunction
with non-public bug reports; this potentially addresses all of the
cases except for SOGo #3670, which is apparently not yet public at
all.

Also, your message didn't mention whether you are making the CVE
request on behalf of the Inverse team, or whether you are noting
issues that are security-related from your own perspective.

Going through the list of public issues:

SOGo #3510 - is the ultimate case of the entire issue summarized by
"copies the attachment (into memcached?) and then eliminates the copy
in the sogod. The memcached copy stays forever/until the SOGo service
is restarted"? Or is there a second implementation error? It seems
that part of the issue, but not all of it, is a feature request (SOGo
#3135) suggesting that SOGo should have size limits because
configuring limits at the level of the web server and SMTP server
disrupts the user experience.

SOGo #3695 is listed twice but the second one has 3696 in the URL. We
are guessing that the second "SOGo #3695" is just a "SOGo #3696" typo.
More importantly, are there two distinct code problems? Or is it a
single code problem that is reachable with different attack vectors?

SOGo #3718 has two identical
"Issue: https://sogo.nu/bugs/view.php?id=3718" lines. Was one of them
supposed to be a different URL?

SOGo #2598 - we are able to assign CVE-2014 IDs. Does "SOGo #2598:
Script injection in calendar title ... Reporter: Jens Erat" mean that
your own discovery was only about the calendar title, and that
additional attack vectors ("contacts module" and "CSS dialogs") were
follow-on discoveries by the Inverse team?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXYL+JAAoJEHb/MwWLVhi2PTsP/iNm7/+Zm9i08VM/T8HlRltR
F38rhWFOg9tZ+zQcATWAYINlsTOGBAUpF7N/J2zVnxiY1ZyRTPl5KApqi0aN9d+H
hlUMXl0mxxjxWLFEbOfkgZhiqKr+sE1S2KQ9aBaXV86DF1BEBVE0NiMzkgp+vipj
s13AIn8CtcZbHpKYOwgfYqHdOEX0vgs8ap/WQL/JXYNKk0KXbF33DFXFui3vn3n4
BkRDfb6MO1+DdA1yePtaTArY16RncvRwpWnbYhTT62nIQdQVUZ2digeGgD+Ob7/N
ZNLt+MhfKXVFe5GuSl7J7mW4G22FSsAlvTUbt56g1ZUcz8HnrMP6IKxQPmELRYs+
MZUiuoyHvsD274VjlCDLdn95vF7kLBIkTRDGLy4RNrDbvrZ/Yj0cG/qt5IK3AUL3
fA29LlViMzjdUwH73IgC/Elt6+m4xJeECn/vBo5tjXzWv/Cg938oWZarXGm9w0XC
100oSk9lbNT8dmWq04m90C0lg6h5c24v05vjlBmqnXQZbroBo0GN6ac6Z1quyAhS
ncvbH0H4s4H9NIADedI8q1gzYTObgE3sa6AZTBt4xTzC3S3XuXZTupga6NCaXGJ1
IlL51OwN4mLez1AmWe12iIFrAPDmCfwPA+QUQMyXsL+TT6WCo4oaCn7jOV4+Uieq
tZ6r8wbwS5WPFqI+2lHU
=EtEt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ