Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Jan 2012 14:21:08 -0700
From: Kurt Seifried <kseifrie@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Mühlenhoff <jmm@...til.org>,
        Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org,
        security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote:
> On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
>> Hi Craig,
>>
>> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
>> another XSS vulnerability in View.pm when accessing the following URLs
>> in backuppc:
>> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
>> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
>>
>> You are being emailed as the upstream contact. Please keep
>> oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.
>>
>> To oss-security, can I have a CVE for this? It is essentially the same
>> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
>> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
>> 3.0.0, 3.1.0, 3.2.0 and 3.2.1.
> *ping*
>
> This hasn't ended up in a CVE assignment.
>
> Cheers,
>         Moritz
I believe as per ADT4 these issues should be merged into the existing
CVE-2011-3361:

ADT4:

At this stage, X and Y are the same bug type, affect the same versions,
and affect the same products.

Do X and Y have any of the following characteristics?

    X appears in a different DLL, library, or program than Y (e.g. X
affects LIB1.DLL and Y affects LIB2.DLL)
    X has more serious impact than Y (e.g. code execution as root versus
leak of system pathname)
    X takes a different input parameter/argument than Y (e.g. SQL
injection in both the "user" and "password" parameters)
    X is exploitable locally, but Y is not.
    X requires stronger authentication than Y.
    X can be exploited by a certain user that Y can not (e.g. a guest
user vs. an admin)

   

    Yes: MERGE them. These characteristics are irrelevant for CVE.

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.