Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Feb 2012 15:34:59 -0700
From: Kurt Seifried <>
Subject: Re: Re: CVE Status Clarification / Request -- kadu:
 Stored XSS by parsing contact's status and sms messages in history

On 02/28/2012 03:33 PM, Kurt Seifried wrote:
> On 02/28/2012 09:32 AM, wrote:
>>> Any javascript code could be executed from Kadu History Window
>>> in following conditions:
>> CVE-2012-1410 is assigned to this Kadu issue.
>> We are confused about
>> This is a bug report about this Kadu vulnerability, but it has a
>> CVE assignment of CVE-2006-7248 for a vulnerability in the 
>> SMIME_read_PKCS7 function in OpenSSL 0.9.7i. Our perspective is
>> that this means CVE-2006-7248 has been assigned to multiple issues
>> (the Kadu issue and the OpenSSL issue), so we'll now proceed to
>> REJECT CVE-2006-7248 sometime later today unless there's a
>> substantial objection.
> Please use CVE-2006-7249 for the kadu XSS vulnerability. Sorry about
> the mess.

Oh fer petes sake, I apologize, read 2006 repeatedly and of course cut
and paste the wrong one AGAIN. Ok for real this time: please use
CVE-2012-1092 for the kadu XSS issue.

Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.