[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 May 2009 17:52:23 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: moin
On Wed, 6 May 2009, Steffen Joeris wrote:
> This upstream commit[0] is slightly different then the issues described in
> CVE-2009-1482 and I think it deserves another CVE id to separate the XSS
> issues. The debian bug[1] can also be used as a reference.
> Steve, what do you think?
This is a different vector that isn't directly covered by that CVE, and
may not have been fixed entirely when CVE-2009-1482 was fixed, so a new
CVE can be considered.
However, we generally avoid including "defense-in-depth" fixes unless they
can be demonstrated to be exploitable - or, if a vendor plans to release
an advisory "just to be safe."
The changeset says "maybe not XSS exploitable though" so I'm not sure
whether a CVE's needed yet.
- Steve
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
