Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Jul 2011 13:47:47 +0200
From: Moritz Mühlenhoff <jmm@...til.org>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: Squirrelmail CVE duplicates


On Mon, Jul 25, 2011 at 01:29:04PM +0200, Jan Lieskovsky wrote:
> Hi Moritz,
> 
>   thank you for checking this.
> 
> On 07/24/2011 06:17 PM, Moritz Muehlenhoff wrote:
> >Hi,
> >there seems to be a duplicate CVE assignment for Squirrelmail?
> >
> >CVE-2010-4555 / CVE-2011-2753
> 
> If I got it right, the CVE-2010-4555 ID has been assigned to the XSS
> flaws:
> 
> Multiple cross-site scripting (XSS) flaws were found in the SquirrelMail
> webmail client:
> * XSS flaws in generic options inputs,
> * XSS flaw in the SquirrelSpell plug-in,
> * XSS flaw in the Index Order page.
> 
> [1]
> https://bugzilla.redhat.com/show_bug.cgi?id=720694#c0
> 
> while the CVE-2011-2753 ID has been assigned to the CSRF protection add-ons:
> 
> Also protection against Cross-site Request Forgery (CSRF) flaws has
> been added to the empty trash feature and to the Index Order page.
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=720694#c0
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=722832#c0

That makes sense, thanks.

Cheers,
        Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.