Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 25 Nov 2012 18:13:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Forest Monsen <forest.monsen@...il.com>, daniel@...nsecurityfoundation.org
Subject: Re: CVE Request for Drupal Contributed Modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to daniel@...nsecurityfoundation.org who caught a pretty
significant error I made (I typo'ed 154->155 and forgot to assign for
154).

On 11/20/2012 01:35 PM, Kurt Seifried wrote:
> On 11/17/2012 10:29 PM, Forest Monsen wrote:
>> Hello!
> 
>> Here's a batch CVE request for a number of previously published 
>> and resolved issues with contributed modules for the Drupal 
>> project. As noted in 
>> http://www.openwall.com/lists/oss-security/2012/11/05/4, I have 
>> volunteered to coordinate our CVE requests.
> 
>> Forest Monsen, on behalf of the Drupal Security Team
> 
> Please see bottom of email for CVEs

Ahh I made an error, simplest way to clean this up seems to be reject
the one and properly assign for 154 which I forgot to do.


>> - SA-CONTRIB-2012-154 - Basic webmail - Cross Site Scripting 
>> http://drupal.org/node/1808852
> 
>> - SA-CONTRIB-2012-154 - Basic webmail - Information Disclosure 
>> http://drupal.org/node/1808852
> 
>> - SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS) 
>> http://drupal.org/node/1808856

> Please use the following:
> 
> CVE-2012-5545 Drupal SA-CONTRIB-2012-155 XSS CVE-2012-5546 Drupal
> SA-CONTRIB-2012-155 Information Disclosure

Please REJECT CVE-2012-5546. The one assigned for CVE-2012-5545 is fine.

For 154:

SA-CONTRIB-2012-154 - XSS please use
SA-CONTRIB-2012-154 - Information disclosure please use

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQssJNAAoJEBYNRVNeJnmTbv4P/1I9wlpp4Om9TLUq9HjcyUbJ
2BozganGckQQAtwFxearF6Dlbk+LCcS8n4p/heFeTACG89CevlAHhP3h57vAVp1S
5vmCdoiwxIE4lv3Dn24iX0UxcQGnUU6WY9n6BZqhcWH2NWFbRMPyF/Ce0LwIgfYy
Dt+0NCh+fRn2Czlpnmo84zzVu3TN51mRNGzEFPDhL2ZdMwP3Krt4PjUi23aEOKgj
bKblX0p5rKn8Ey8LfoddTOmsSZ7n/6oh5+4qAH11YfuIFGQFDDCcRELuu3R/vw+P
NPBZjNSTZyo6MnF82mYncKq3qBDpxRxH0hYsRnp+5sA8qGi1nq1GSDhuua02h9VL
Nd/wulZf4R8fNRyug4BZz89MKq00A6D9W45gO+wQPM6piWu0sNn6bXQn58CxMohm
82AghIvc4rKltGBHdqlTz+agtf2G7vKupjZPsXUfO75t6dHYFtWQX4RRhxXTAzxy
oIjznaUeC9WqFpXeUAcznlRzJPoz9+VhxUd3LZiDPWBRXLy0kQ8R3AKWjv4WeP2E
zokvqf0gFq0VsMBVRTWLDo+EKNhYsTIU6+JPe/zpt2pbdzzOjY2EhfQQ26jM93xB
708aPXq2YSQQ9bdSsekB1kjzYqCJBkh0Z2bdwN1HrDlH2BH7zx/piENEr/dptksz
HPy0SSjeDis8mTwnA9ec
=s48E
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.