Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Jan 2013 10:50:49 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
        Forest Monsen <>,
        Drupal Security Team <>,
        Mitre CVE assign department <>
Subject: CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two
 Drupal modules issues)

Hello Kurt, Steve, Forest, Drupal Security Team, vendors,

  @Forest: Apologize for requesting CVE ids instead of you,
but I will explain the reasons below shortly.

  Drupal upstream has released Drupal 6.28 and Drupal 7.19 versions,
correcting multiple security flaws:
* Issue #1 - Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)
* Issue #2 - Access bypass (Book module printer friendly version - Drupal 6 and 7)
* Issue #3 - Access bypass (Image module - Drupal 7)

While the issue #1 affects also version of jquery.js JQuery JavaScript library,
as shipped within Drupal, the original XSS JQuery upstream report is here:

with mention about the fix in JQuery 1.6.3 version here:

After further look the same issue needs to be fixed also in drupal7-jquery_update:

and python-tw-jquery packages: 

Also python-tw2-jquery package:

seems to ship various embedded versions of the jquery.js library implementation.
Since there might be more of the components / packages, shipping the vulnerable
JQuery version the first CVE identifier should be allocated to the original
JQuery issue.

@Drupal security team - could you clarify if to fix the first issue,
there was yet some other Drupal specific patch / change (besides the
JQuery library update), which would require yet another (fourth) CVE
id to be allocated?

@Mitre CVE assign department team, could you clarify, if you have already
assigned CVE identifiers for these issue and if so, for which source code
base it was?

If Drupal upstream just updated JQuery version to not-vulnerable 1.6.3 [B], [C]
within Drupal core, then three ids are sufficient (one for JQuery, one for
Drupal Book module issue, one for Drupal Image module issue).

On the other hand, if there was yet some Drupal specific patch (besides JQuery
update) needed to fix #1 issue - four CVE identifiers should be allocated
(after my understanding).

Could you allocate them / if allocated already, let us know the particular
ids and which source code they were allocated for?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.