Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jun 2012 13:36:45 -0400 (EDT)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: Kurt Seifried <kseifried@...hat.com>
cc: Henri Salo <henri@...v.fi>, oss-security@...ts.openwall.com,
        Greg Knaddison <greg.knaddison@...uia.com>,
        "Steven M. Christey" <coley@...-smtp.mitre.org>
Subject: Re: CVE Request for Drupal contributed modules


All,

I have several clarifications and corrections to this latest Drupal 
request and CVE response, on top of the dupes already listed.  The most 
important notes are listed first.

(Greg and Kurt, the number of duplicates and unassigned CVEs in this batch 
is understandable due to various factors such as amount and assignments 
from mutiple sources, but it's disconcerting.  Maybe we should talk 
off-list and figure out how to minimize these problems in the future.)

>CVE-2012-2709 SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

This is a duplicate that might look like a typo at first.

Around May 21, MITRE originally published CVE-2012-2907 (NOTE THE 
DIFFERENT NUMBER STARTING WITH "29" INSTEAD OF "27").

CVE-2012-2907 is in more active use, so keep CVE-2012-2907.

We will REJECT CVE-2012-2709.

(Kurt, CVE-2012-2709 belongs to you.  If you actually intended to list the 
already-published CVE-2012-2907 and made a typo to CVE-2012-2709, please 
make sure you've removed CVE-2012-2709 from your pool.)


> CVE-2012-2713 SA-CONTRIB-2012-085 - BrowserID - Multiple
>     Vulnerabilities - CSRF
> CVE-2012-2714 SA-CONTRIB-2012-085 - BrowserID - Multiple
>     Vulnerabilities - BrowserID login theft

The description in SA-CONTRIB-2012-085 is not clear, but it seems that
CVE-2012-2714 might be the natural consequence of exploiting the CSRF.
The title "multiple vulnerabilities" does not help.  Any thoughts on
this one?



>CVE-2012-2727 SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect

SA-CONTRIB-2012-098 mentioned a second separate issue for "An
additional security weakness occurs when the module creates a new
local user account."

CVE-2012-2727 - open redirect

(new) CVE-2012-3798 - disclosure of portions of passwords


> CVE-2012-2723 SA-CONTRIB-2012-094

A close reading of SA-CONTRIB-2012-094 suggests that there should be
two CVEs.  Part of the advisory does seem to imply that the XSS is
resultant from the CSRF; but it also says "This vulnerability is
mitigated by the fact that an attacker must have a role with the
maestro admin permissions," which implies that users with maestro
admin permissions should not be allowed to conduct XSS attacks
themselves.  This could probably be argued either way.

CVE-2012-2723 - XSS

(new) CVE-2012-3799 - CSRF


> CVE-2012-2721 SA-CONTRIB-2012-092 - Organic Groups - Cross Site
> Scripting (XSS) and Access Bypass

This is 2 types of issues, thus needs 2 CVEs.

CVE-2012-2721 - Access Bypass

(new) CVE-2012-3800 - XSS

> CVE-2012-2706 SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site
> Scripting (XSS) and Access Bypass - Unsupported

Two vuln types, two CVEs needed.

CVE-2012-2706 - XSS
(new) CVE-2012-3802 - unspecified read of commisions


- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.