Date: Thu, 13 Sep 2012 14:39:05 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Yves-Alexis Perez <corsac@...ian.org>, security@...dpress.org Subject: Re: CVEs for wordpress 3.4.2 release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/13/2012 02:29 PM, Yves-Alexis Perez wrote: > On mer., 2012-09-12 at 13:38 +0300, Hanno Boeck wrote: >> I can't find CVEs assigend for the issues fixed in wordpress >> 3.4.2. >> >> http://wordpress.org/news/2012/09/wordpress-3-4-2/ >> >> >> Sadly, the information is quite limited: "Version 3.4.2 also >> fixes a few security issues and contains some security hardening. >> The vulnerabilities included potential privilege escalation and a >> bug that affects multisite installs with untrusted users. These >> issues were discovered and fixed by the WordPress security >> team." >> >> I suggest assigning two: 1. potential privilege escalation 2. >> problem with untrusted users on multisite installations unless >> someone has more information. > > It's alway pretty annoying to try to fix CVEs in wordpress > releases, since they are usually allocated just on some release > announcement, and thus identifying specific commits is pretty hard. > It'd be nice if Wordpress security team could be in the loop since > the beginning, it might help a bit later (so adding them to CC: > now) > > Regards, They are of course welcome to ask for CVE's on distros@, just be aware of the two week limitation (so ask as you get closer to a release). http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html How to make a semi-private request: If you have a semi-private issue (you want to notify vendors, but not the entire world, giving time for it to be fixed) the easiest way to do this is to email the distros@...openwall.org list (http://oss-security.openwall.org/wiki/mailing-lists/distros). Please note that one of the list requirements is that issues be embargoed (kept private) for 2 weeks at most (e.g. 14 to 16 days depending on when during the week the email was sent). DO NOT SEND A REQUEST TO THIS LIST IF YOU NEED MORE THAN 2 WEEKS TO ADDRESS AND RELEASE THE ISSUE. The distros@ list is a private list consisting of security teams for Linux and BSD distributions. No archives of this list exist publicly at this time, although a time delayed archive may be created at some point (delayed at least 14-16 days so embargoed issues don't appear in the archives). The advantage of this list is it allows you to easily co-ordinate a public release with the projects most likely to ship your software (e.g. Linux and BSD vendors). Time line: I generally respond to these within one business day, this means you'll either get a CVE or a request for more information if the request is not properly formatted or is unclear/missing details/etc. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQUkRpAAoJEBYNRVNeJnmTk4gP/i7WlNhTKrnWbtVvIvfkKDN4 C/dwq1HyZ6b97+tMqxiaRlVy8r9vIy806Z9T4qL75stAFkN333aiLibP51iwJxo3 83LikqCFQ0yKlDHgzeP864JLUZYxwVWTIZTEsgiFOeoS5g28GV5XmT84Ub5eeCOU T8Y11PPw3y8qY7ZZs7UKSXhIgRvAQYhzsxiJnjN4gT7FBsHtpHhmnueLM076O/4g bQSGjQrcc4lSjGeMrsDkyCT1/ZoReg/ksLYg4g92zexhKM/RK1fVqtG3RO2sYsY5 QlFa28MsiSFtRpjJM0C6FBlEm6IIhpvzpMg0AvxNbKjZthNXSju6DPQRuk+otRLS M7auI+v6H+oX3LhV3QN+uPzZmS/wtaCGvTZ6HQxQdM6Ak0Tel53lhNOZakT05dJJ 7WzilbF4niR7DZoxl4llXp4YTr+iHNyvII1G+3KEB4Fp2AVjcRHICZ2ylBPM2Vsl DQ3j7A3z0tA3RBu4z1Nwv3NMgH1vRns2IpMlTKPTzSZvZLtt6XBHpvGYotqltgDA byNjTjtiv7yftZcoABysuzxiK4jHowFlIM9gjkbPutQ2/dsrySSl+rQPO4N0PNGz XsvdUnzERCwXmtnhWQ2hIsoc5Ak5cMrzMCrO0cP3G8SGVlNcMdRD6r3/VEGq3UNR al+A64Gk9hYZtq9uQK3M =DOt0 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.