Date: Wed, 03 Oct 2012 23:39:40 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Joshua Brauer <joshua@...uerranch.com> Subject: Re: CVE Request for Drupal Contributed Modules -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/03/2012 10:23 PM, Joshua Brauer wrote: > Thanks these have been posted and I'll have more catching up > tomorrow. > > Just to verify the process CVE-2012-4472 SA-CONTRIB-2012-108 is for > multiple vulnerabilities which Drupal issued one advisory about. In > the past I think these got separate CVE's and we have in our > process to report it once for each vulnerability. Which leads to > the questions: 1) Should it have multiple CVE's? 2) Should we be > reporting these separately or all on one? Sorry I was reading the titles of the advisories, usually they say "multiple issues" when there are multiple issues, "SA-CONTRIB-2012-108 - - Drag & Drop Gallery - Arbitrary PHP code execution". Oops. > Thanks, Josh >>>> Thanks, Josh - on behalf of the Drupal security team. > > Perfect, this is easy =). > > Please use the following CVEs: > > CVE-2012-4468 SA-CONTRIB-2012-104 CVE-2012-4469 > SA-CONTRIB-2012-105 CVE-2012-4470 SA-CONTRIB-2012-106 CVE-2012-4471 > SA-CONTRIB-2012-107 CVE-2012-4472 SA-CONTRIB-2012-108 CVE-2012-4473 > SA-CONTRIB-2012-109 CVE-2012-4474 SA-CONTRIB-2012-110 CVE-2012-4475 > SA-CONTRIB-2012-111 Ok so a clarification on CVE-2012-4472 SA-CONTRIB-2012-108 and some additional CVEs: SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Scripting Please use CVE-2012-4476 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Access bypass Please use CVE-2012-4477 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Request Forgery Please use CVE-2012-4478 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - SQL Injection Please use CVE-2012-4479 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution Please continue to use CVE-2012-4472 (it's the most serious one and listed in the title of the web page currently). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQbSEcAAoJEBYNRVNeJnmTzGEP/RsG5IUUr9moP/p7qC3NJmw1 0p1khI8zXxmlZtUNU6suh4LRBPSOYcA2SGMC7xsTuDGV1tbJkN7Rr5t+SYeJ6qQP KNrf6XYPP3HZsQJvkE8Hg/X7W62W9Vjc+4OOny2LYIMIM+i8GqS2W56YGodvbQQv wOtIcLdq0jwG8yOmKDhtNxJeyY1v89Ln5cjoqB6oPgb/EOq5EnAvHyLGiXppZ45H PV3xWiMvondje/zo1VP9ARmS/fPdXM66hRxlkgbaWhgIGKgEvUUFSQfiTxjfxbBv SQc45bFx9AU08thaVEWKSqLgBKnLAa5yBVADaP4CwMf+X8Yrw8v62ZuzKS3Bro/N phDZW9eGyLF+hHhlS1vor8cqBS+EF3VOYpMRx5Zf3bV0QycKhKYuvijN8B5sSX2z zRwm8Z0k1Rc3Mya2nlaO4Rrt1wIvAEEBjUOj04UdG8eiwmEuUi2jWKoGaaIGYGSp QFUqUzTPM4pf/PYf8QGYev7KBJDZt66LkRe/1B+l5qYo8qtXaEWS/oyf3zCQKS9t 39xkP3sNbO0QVCajnKgwZSOuE2v4hmoKnaxevdsMhozsFCllfIy3bt5pcXwHXPzY 0jX7441KtJ3FjSRmrjSoXljBvsv+bn6b6V9pLTi4AjZe0gpf0DR71IJw7WTOcWc8 Un86Mt7mCTh2VPCziQm5 =avGB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.