Date: Fri, 15 Jul 2016 07:54:41 -0400 (EDT) From: cve-assign@...re.org To: dblack@...assian.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for the Play Framework -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > In version 2.5.0 of the Play Framework a CSRF bypass that depends upon > an implementation bug in chrome's beacon api was fixed. We think additional information would help in deciding whether this is commonly recognized as a Play Framework vulnerability (which would have a CVE ID) or Play Framework security hardening (which would not have a CVE ID). Our understanding thus far is: - Play Framework is not an Atlassian product - https://github.com/playframework/playframework/pull/5527#discussion-diff-51786858 says "In order to make Play's CSRF filter more resilient to browser plugin vulnerabilities and new extensions, the default configuration for the CSRF filter has been made far more conservative." - Chromium issue 490015 has some debate about whether it is a Chrome/Chromium vulnerability, e.g., "The issue is whether it's the browser responsibility to act as a nanny to weak websites, or we should leave weak websites as sacrifice for great justice." versus "To be clear, this is a security bug ... There is a security bug in Chrome, but no action is being done." Typically, it would be best not to have a CVE for Play Framework if the essence of the Play Framework problem is "the product did not proactively add workarounds for all browser-level vulnerabilities that might be discovered later." - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXiM35AAoJEHb/MwWLVhi2loIP/jPajrxasGvKZoI0KtBapJAR QgeiNrem6Va0JL+j5AoTAXNWLhLCl5/geXn7GJuCGP2dt3MDKAMCQEnj2zhhjTha FHmxzVfqOUAt3JsNZ7cium+pn6bKMybwrTQYW2YO2Vald+0JWm74QbYBLU+ZLZTn CgSROeAwtpDvqislJLksajGn6U19L6U+S08uRWOHqEHFoeatF4xBhQySAeThvDop QcxY0xaAnFNvv8RvYg0F6xaVcrylrkWmAmnFMt50RtfiJUXHMfzintK8ypypjQzr DMF5So2QIbUht/fha5dpK7q3Yms3BnZ1kT2VRoCZGBFx3pY6cJ2YpdfddD4e9jdb oOaOSK7gr7nUo4D8g/jeSHfhA1smrshrVi4dFFwFHXbj5xiF3dACzOmUBHBQ4hi6 B9RyrihdXpt1rsMAC8t3BitgaIou6yyrDRINb2hlu3OWiUFiUPNOJ314eTJWlNv9 TJcmqCM6hxM7L4/MWQp8GF+xCDpxnIWDTjrUUGbmFY1IjAIHOsXR3ctzwVdln2Sg 6ptiUPFn0hztEv1mPUVbJ/a4egATHjftNnznXNuzEdHxqwc49RwbgChsdDhkD2Kr s990pECojFG9W22C4Ke32hXikhZfGSTuhpW06zks/dfbzxNbxPp21axAnG0uNI8i G5NoAaXXknSzpZ/e5Dx3 =RxGV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ